On Mon, Sep 9, 2019 at 6:48 AM Tony Finch <d...@dotat.at> wrote: > [...] > You should find that re-signing gets spread out over time due to update > activity and because of the randomizing jitter that Mark mentioned. So on > a more mature zone you might not get such an intense flurry of signature > updates. The jitter is 1 hour (in normal configurations) and there isn't > a direct way to change it, unlike the -j option to `dnssec-signzone`. >
In recent versions of BIND, the jitter is no longer 1 hour, but spread out over the signature validity period. I filed an enhancement request about a year ago on this topic, and why BIND should spread out the jitter: https://gitlab.isc.org/isc-projects/bind9/issues/418 The changes first appeared in BIND 9.12.3 I believe. Shumon Huque
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users