DNSSEC ZSK rollover
Tony Finch
dot at dotat.at
Tue Sep 1 10:19:27 UTC 2015
Evan Hunt <each at isc.org> wrote:
>
> It is intentional; it spreads out the work of resigning over a longer
> period of time to reduce the load on the server. (And a lot of people
> prefer smaller IXFRs anyway.)
We have tweaked sig-signing-nodes and sig-signing-signatures to make
incremental signing work in larger chunks. We also have a wee patch (by
Chris Thompson) which makes the re-signing jitter more clumpy, so RRsets
are re-signed if their scheduled time is within 5 minutes of the current
time instead of 5 seconds. This patch might be an answer to a comment in
this code which says:
/* XXXMPA increase number of RRsets signed pre call */
https://git.csx.cam.ac.uk/x/ucs/ipreg/bind9.git/commitdiff/2eba83e63a8206d32e12f9f6b763fcdf63294b52
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
moderate, but rough in southwest Viking. Showers later. Good, occasionally
poor later.
More information about the bind-users
mailing list