Auto-dnssec maintain and 'continous' resigning

[Carlos M. Martinez]

Thank you very much for all the bits, certainly very helpful.

My problem is that this cycle of zone signing triggers zone number
increases and generates dozens of NOTIFY messages and the corresponding
zone transfers to all slaves within a short period of time, something
which I believe is not very friendly to my gracious slave service
providers.

Since my signer instance does not provide public service, I would rather
prefer the signing to be done in a single op and then send a single
NOTIFY to slaves.

Maybe my problem is 'auto-dnssec maintain', maybe I would be better off
with the other options.

Looking forward to your thoughts.

~Carlos

On 4/3/13 7:48 PM, Mark Andrews wrote:
> 
> In message <515A92A5.3020302 at imperial.ac.uk>, Phil Mayers writes:
>> On 04/01/2013 07:36 PM, Carlos M. Martinez wrote:
>>> Reframing the question in more general terms... Which events trigger a
>>> zone re-sign and reload when using "auto-dnssec maintain" ?
>>
>> As someone else has already said, zone updates, signature expiration and 
>> key events.
>>
>> In particular, it's normal for the SOA serial to constantly increase in 
>> a zone with "auto-dnssec maintain", even if nothing else happens, 
>> because the signatures will be regenerated every N days. N depends on 
>> your config, but is 0.75 * default_sig_life (30 days) by default i.e. 
>> signatures are generated every 22.5 days.
> 
> Named attempts to spread out re-signing load for a zone over time
> even is the zone content is essentially static.  It takes time to
> regenerate signatures so you don't want non-threaded builds to stall
> too long res-signing.
> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>  from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users