Quoting Siôn Lloyd ([email protected]): > >when i add a zone to ODS i want it signed on disk immediately. > >This is why i currently add zones with this command sequence: > > ods-ksmutil zone add $zone > > ods-ksmutil update zonelist > > ods-signer sign $zone > > the current enforcer has no facility to process just a single zone, > so as you point out the update makes it process all the zones that > it knows about.
OK. That's too bad. But am i correct that i need to run 'update zonelist' before being able to call 'sign $zone' or is this step unnecessary and would a signer reload resolve the problems too? On a different subject; This issue fits to my perception that the entire introduction of DNSSEC to the DNS world comes from a registry point-of-vieuw. There has been a lot of talks from registries implementing DNSSEC with just one (huge) zone and virtually no information or experience seems to be shared from registrars who have to deal with thousands of (small) zones. Not at all to discredit the hard work you guys put in OpenDNSSEC but this enforcer design implementation of OpenDNSSEC also fits the 'we only manage one or two zones, not fourteenthousand'-mindset, imho. > Using MySQL should fix the issue, we do no locking then. I'll try to switch to MySQL then. Quite possibly the enforcer runs will speed up significantly from that too. Is there any experience on this list with switching to MySQL coming from SQLite that people want to share? With regards, -Sander. -- | A box without hinges, key, or lid, yet golden treasure inside is hid. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
