DNSSEC inline/auto - burst of resigning/updates ?

[Tony Finch]

Brandon Applegate <brandon at burn.net> wrote:
>
> Tonight though in about an hour, the serial number was incremented 12
> times and NOTIFYs sent.  My home firewall is stable, and my DKIM
> rotation happens monthly via cron.  So there’s nothing in the logs
> regarding a DDNS update.
>
> My question is - what could prompt these changes ?  I don’t see a
> pattern in time or anything else in the logs.

The prompt would have been regular zone re-signing activity, which (as
Mark says) is done in small chunks. You can control the size of the chunks
with the `sig-signing-nodes` and `sig-signing-signatures` options. If you
want to reduce NOTIFY / IXFR traffic, you might want to increase these
options, though it's probably only a good idea if you have a hidden
primary server that isn't answering other queries.

You should find that re-signing gets spread out over time due to update
activity and because of the randomizing jitter that Mark mentioned. So on
a more mature zone you might not get such an intense flurry of signature
updates. The jitter is 1 hour (in normal configurations) and there isn't
a direct way to change it, unlike the -j option to `dnssec-signzone`.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Wight: South 4 to 6, becoming variable 3 or less. Slight, occasionally
moderate at first. Showers, perhaps thundery. Moderate or good.