Gritty details of automatic resigining in 9.6?
Mark Andrews
Mark_Andrews at isc.org
Tue Oct 14 23:39:45 UTC 2008
In message <Prayer.1.3.0.0810142102220.25025 at hermes-1.csi.cam.ac.uk>, Chris Tho
mpson writes:
> I've been looking at the BIND 9.6.0a1 distribution for details of the
> automatic re-signing facilities. The "NSEC3-NOTES" file gives an overview
> ("it just happens") and the updated ARM tersely mentions a number of new
> options/zone parameters
>
> sig-re-signing-interval number ;
> sig-signing-nodes number ;
> sig-signing-signatures number ;
> sig-signing-type number ;
>
> but is there anything more detailed that I have missed? (Maybe I have
> to read the code :-)) I'm particularly concerned with how the SOA serial
> is maintained, and what IXFRs look like, and how the "signing-type" is
> used.
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
Re-signing applies to secure dynamic zones. Named updates
the serial and generates ixfr's just like it would for a
UPDATE request. Think of it as a internally generated
UPDATE request to replace signatures that are scheduled to
re-generated. That generation is done when 1/4 of the
signature validity interval remains though it is tunable.
Named maintains a list of when RRSIGs need to be re-generated
and re-generates them at that time. RRSIGs for offline keys
are excluded from this list.
The gorry details are in lib/dns/zone.c:zone_sign().
When re-signing it will sign up to sig-signing-signatures
signatures at a time. The canditate RRSIGs are those which
would be a candidate for re-signing in the next 5 seconds.
The re-signing introduces some jitter into the signing
interval to cause the future re-signing load to be spread
over time. If you start with a reasonable sized zone that
is signed w/o jitter it will slowly spread so that there
is fairly uniform re-signing load over time.
You end up with signature groups like the following.
% dig axfr dv.isc.org | awk '$4 == "RRSIG" {print $9, $10 }' | sort -n | uniq -c
11 20081103173431 20081004173335
11 20081103182508 20081004174904
12 20081103190533 20081004182752
10 20081103194942 20081004185510
9 20081103195144 20081004190341
11 20081103195603 20081004191130
1 20081104231227 20081005221530
4 20081106031547 20081007030220
1 20081106040220 20081007030220
%
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list