-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2012 11:53 AM, Sara Dickinson wrote: > On 11 Sep 2012, at 07:08, wfXLtg== wrote: > >> Hi Matthijs, >> >> I'm now using Adapter File which is more stable than Adapter >> DNS. The work flow is as follows: 1.generate zone files from db >> and saved in ./unsigned/ 2.when all the zone files are ready, run >> ods-signer sign --all 3.monitor whether there are signed zones in >> ./signed/ and scp immediately signed zone from ./signed to hidden >> master BIND , after transfer completeed using "rndc reload" > > Are you using the <NotifyCommand> mechanism for this? This is the > best way to determine when the signing is complete.
I agree with Sara, replace the monitoring with the NotifyCommand. > >> to make BIND reload the newly signed zone file 4.test whether >> 4.do the above steps every 15 mins >> >> The problem is sometimes the zone files in the ./singed/ may be >> not signed by ods-signer sign --all, it may be signed by >> automatic resign, so sometimes the RRs in the zones are not the >> exact ones in db. So as you suggested, I have changed the resign >> value to a relatively large number but I find that I have to >> changed refresh, validity/default,validity/denial, too, so I can >> not set the resign period to 1Y for example, because refresh >> should be larger than resign and validity/default and >> validity/denial should be larger than refresh. I think the >> validity is 30D which is commonly used by registries, so can you >> recommend other values? Well, 1Y was perhaps a bit of an exaggerating example. But if you will call ods-signer sign --all every 15 minutes, you probably are more than safe with a resign value of a day. >> >> And I knew that if a zone is not signed compeltely, ods-signerd >> will only create a <zone>.tmp file in ./signed/, but in my test I >> have found that a zone has been scped to the hidden master with >> less size than its supposed size, and its file name is test not >> test.tmp, so my program is sure that it's signed completely and >> transfer it to the destination. Is there a possibility that >> ods-signerd signs zone file not completely and make <zone>.tmp to >> <zone>? If not, I can hardly understand why the signed file is >> more less than the unsigned one. If the signer completely have written out the signed zone file to <signed-zonefilename>.tmp, it will rename it to <signed-zonefilename>. > > Perhaps you can send us your xml files and log files offlist? And I would also be interested in the the failed zone file, signed and unsigned. > > Thanks > > Sara. > >> >> Best regards, Stuart >> _______________________________________________ Opendnssec-user >> mailing list [email protected] >> <mailto:[email protected]> >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQUGx2AAoJEA8yVCPsQCW5AOQIAKVmTf8uKA/Nao3chNFkhBSQ 1IyIAnQCleSCADZT1Zhlp6GUqljKqGW+0AxHzCWa5jg3EYI4gQeiO5PctKV65j9A Ns609V5XT/pSa78viZ2X8oyPYLyyJMy3arGGJWa4itbZWPpd7kuGRZ3GytNqiTrY x8o+46rmj3oBv9Mh41MW+yNsObD68Wk7HdM7RttnOYeY8J6V9g0NuoXkNo6+mDkZ yu3vVR+YrsIJcthKi9i8WnIt1dZKddEEfl7AKIGCl8UMteLfUVXOnEd7Z+byuZ/j Ry5UlgdUXFPTjCsfBk200X8AwQr1IBYCne5TIxQnXEmKjOrZJKK+I/FWS6Vk3Sk= =wnul -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
