Auto-dnssec maintain and 'continous' resigning
Mark Andrews
marka at isc.org
Wed Apr 3 22:48:30 UTC 2013
In message <515A92A5.3020302 at imperial.ac.uk>, Phil Mayers writes:
> On 04/01/2013 07:36 PM, Carlos M. Martinez wrote:
> > Reframing the question in more general terms... Which events trigger a
> > zone re-sign and reload when using "auto-dnssec maintain" ?
>
> As someone else has already said, zone updates, signature expiration and
> key events.
>
> In particular, it's normal for the SOA serial to constantly increase in
> a zone with "auto-dnssec maintain", even if nothing else happens,
> because the signatures will be regenerated every N days. N depends on
> your config, but is 0.75 * default_sig_life (30 days) by default i.e.
> signatures are generated every 22.5 days.
Named attempts to spread out re-signing load for a zone over time
even is the zone content is essentially static. It takes time to
regenerate signatures so you don't want non-threaded builds to stall
too long res-signing.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list