Gritty details of automatic resigining in 9.6?

Mark Andrews Mark_Andrews at isc.org
Tue Oct 14 23:39:45 UTC 2008 

In message <Prayer.1.3.0.0810142102220.25025 at hermes-1.csi.cam.ac.uk>, Chris Tho
mpson writes:
> I've been looking at the BIND 9.6.0a1 distribution for details of the
> automatic re-signing facilities. The "NSEC3-NOTES" file gives an overview
> ("it just happens") and the updated ARM tersely mentions a number of new 
> options/zone parameters
> 
>     sig-re-signing-interval number ;
>     sig-signing-nodes number ;
>     sig-signing-signatures number ;
>     sig-signing-type number ;
> 
> but is there anything more detailed that I have missed? (Maybe I have
> to read the code :-)) I'm particularly concerned with how the SOA serial
> is maintained, and what IXFRs look like, and how the "signing-type" is
> used.
> 
> -- 
> Chris Thompson
> Email: cet1 at cam.ac.uk

	Re-signing applies to secure dynamic zones.  Named updates
	the serial and generates ixfr's just like it would for a
	UPDATE request.  Think of it as a internally generated
	UPDATE request to replace signatures that are scheduled to
	re-generated.  That generation is done when 1/4 of the
	signature validity interval remains though it is tunable.

	Named maintains a list of when RRSIGs need to be re-generated
	and re-generates them at that time.  RRSIGs for offline keys
	are excluded from this list.

	The gorry details are in lib/dns/zone.c:zone_sign().

	When re-signing it will sign up to sig-signing-signatures
	signatures at a time.  The canditate RRSIGs are those which
	would be a candidate for re-signing in the next 5 seconds.
	The re-signing introduces some jitter into the signing
	interval to cause the future re-signing load to be spread
	over time.  If you start with a reasonable sized zone that
	is signed w/o jitter it will slowly spread so that there
	is fairly uniform re-signing load over time.

	You end up with signature groups like the following. 

% dig axfr dv.isc.org | awk '$4 == "RRSIG" {print $9, $10 }' | sort -n | uniq -c
  11 20081103173431 20081004173335
  11 20081103182508 20081004174904
  12 20081103190533 20081004182752
  10 20081103194942 20081004185510
   9 20081103195144 20081004190341
  11 20081103195603 20081004191130
   1 20081104231227 20081005221530
   4 20081106031547 20081007030220
   1 20081106040220 20081007030220
% 

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list