The signed domain file rewritten
vesely at tana.it
Tue Nov 12 18:49:22 UTC 2019
On Tue 12/Nov/2019 18:18:52 +0100 Tony Finch wrote:
> Alessandro Vesely <vesely at tana.it> wrote:
>> It doesn't seem to happen every day, but can happen again on the next day. Can
>> the period be controlled?
> It depends on the size of the zone (bigger zone -> more frequent upates),
> how widely scattered the RRSIG expiry times are (which depends on how the
> zone is updated and how it was originally signed), how long ago it was
> signed (the expiry times have a bit of jitter so they should gradually
> spread out over) and on the sig-validity-interval setting.
That makes sense. I left sig-validity-interval at its default (30 days) and
from October 19 to November 11 (the dates of the files) there are 23 days,
while 30 * (1 - 1/4) = 22.5.
Looking closer, I realized that the next day signature was not rewritten in the
Perhaps the jitter can be cured by setting a multiple of 4 as the validity
Thank you for the detailed explanation
More information about the bind-users