On 11 Sep 2012, at 07:08, wfXLtg== wrote: > Hi Matthijs, > > I'm now using Adapter File which is more stable than Adapter DNS. > The work flow is as follows: > 1.generate zone files from db and saved in ./unsigned/ > 2.when all the zone files are ready, run ods-signer sign --all > 3.monitor whether there are signed zones in ./signed/ and scp immediately > signed > zone from ./signed to hidden master BIND , after transfer completeed using > "rndc reload"
Are you using the <NotifyCommand> mechanism for this? This is the best way to determine when the signing is complete. > to make BIND reload the newly signed zone file > 4.test whether > 4.do the above steps every 15 mins > > The problem is sometimes the zone files in the ./singed/ may be not signed by > ods-signer > sign --all, it may be signed by automatic resign, so sometimes the RRs in the > zones are > not the exact ones in db. So as you suggested, I have changed the resign > value to a relatively > large number but I find that I have to changed refresh, > validity/default,validity/denial, too, > so I can not set the resign period to 1Y for example, because refresh should > be larger than resign > and validity/default and validity/denial should be larger than refresh. I > think the validity is 30D > which is commonly used by registries, so can you recommend other values? > > And I knew that if a zone is not signed compeltely, ods-signerd will only > create a <zone>.tmp file in > ./signed/, but in my test I have found that a zone has been scped to the > hidden master with less size > than its supposed size, and its file name is test not test.tmp, so my program > is sure that it's signed completely > and transfer it to the destination. Is there a possibility that ods-signerd > signs zone file not completely and > make <zone>.tmp to <zone>? If not, I can hardly understand why the signed > file is more less than the unsigned one. Perhaps you can send us your xml files and log files offlist? Thanks Sara. > > Best regards, > Stuart > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
