Auto-dnssec maintain and 'continous' resigning

Mark Andrews marka at isc.org
Wed Apr 3 22:48:30 UTC 2013


In message <515A92A5.3020302 at imperial.ac.uk>, Phil Mayers writes:
> On 04/01/2013 07:36 PM, Carlos M. Martinez wrote:
> > Reframing the question in more general terms... Which events trigger a
> > zone re-sign and reload when using "auto-dnssec maintain" ?
> 
> As someone else has already said, zone updates, signature expiration and 
> key events.
> 
> In particular, it's normal for the SOA serial to constantly increase in 
> a zone with "auto-dnssec maintain", even if nothing else happens, 
> because the signatures will be regenerated every N days. N depends on 
> your config, but is 0.75 * default_sig_life (30 days) by default i.e. 
> signatures are generated every 22.5 days.

Named attempts to spread out re-signing load for a zone over time
even is the zone content is essentially static.  It takes time to
regenerate signatures so you don't want non-threaded builds to stall
too long res-signing.

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list