The signed domain file rewritten

Alessandro Vesely vesely at
Tue Nov 12 18:49:22 UTC 2019

On Tue 12/Nov/2019 18:18:52 +0100 Tony Finch wrote:
> Alessandro Vesely <vesely at> wrote:
>> It doesn't seem to happen every day, but can happen again on the next day.  Can
>> the period be controlled?
> It depends on the size of the zone (bigger zone -> more frequent upates),
> how widely scattered the RRSIG expiry times are (which depends on how the
> zone is updated and how it was originally signed), how long ago it was
> signed (the expiry times have a bit of jitter so they should gradually
> spread out over) and on the sig-validity-interval setting.

That makes sense.  I left sig-validity-interval at its default (30 days) and
from October 19 to November 11 (the dates of the files) there are 23 days,
while 30 * (1 - 1/4) = 22.5.

Looking closer, I realized that the next day signature was not rewritten in the
same view.

Perhaps the jitter can be cured by setting a multiple of 4 as the validity

Thank you for the detailed explanation

More information about the bind-users mailing list