Auto-dnssec maintain and 'continous' resigning
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 4 16:07:09 UTC 2013
On 04/04/13 16:55, Carlos M. Martinez wrote:
> Thank you very much for all the bits, certainly very helpful.
>
> My problem is that this cycle of zone signing triggers zone number
> increases and generates dozens of NOTIFY messages and the corresponding
> zone transfers to all slaves within a short period of time, something
> which I believe is not very friendly to my gracious slave service
> providers.
You might ask your secondary if they care. We secondary for some people,
and my view is that I don't care if they send me one NOTIFY a minute and
I'm constantly doing tiny IXFR - I just don't care, or see why it's a
problem.
But I know some people don't like it. We don't send NOTIFY to one of our
secondaries for this reason, and that copy of the zone lags by
0->refresh. It's not a huge problem for me, so if you can tolerate it,
"notify explicit" might help.
> Since my signer instance does not provide public service, I would rather
> prefer the signing to be done in a single op and then send a single
> NOTIFY to slaves.
>
> Maybe my problem is 'auto-dnssec maintain', maybe I would be better off
> with the other options.
Well... you might be able to tweak the various sig-* options to bundle
up the signing, but that might adversely affect other stuff.
How big is the zone? You could just "cron" a "dnssec-signzone" if it's
reasonably sized.
More information about the bind-users
mailing list