DNSSEC inline/auto - burst of resigning/updates ?
Shumon Huque
shuque at gmail.com
Mon Sep 9 15:08:49 UTC 2019
On Mon, Sep 9, 2019 at 6:48 AM Tony Finch <dot at dotat.at> wrote:
> [...]
> You should find that re-signing gets spread out over time due to update
> activity and because of the randomizing jitter that Mark mentioned. So on
> a more mature zone you might not get such an intense flurry of signature
> updates. The jitter is 1 hour (in normal configurations) and there isn't
> a direct way to change it, unlike the -j option to `dnssec-signzone`.
>
In recent versions of BIND, the jitter is no longer 1 hour, but spread out
over the signature validity period.
I filed an enhancement request about a year ago on this topic, and why BIND
should spread out the jitter:
https://gitlab.isc.org/isc-projects/bind9/issues/418
The changes first appeared in BIND 9.12.3 I believe.
Shumon Huque
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190909/f3bb33b1/attachment.html>
More information about the bind-users
mailing list