[Dnssec-deployment] SOA serial number changes on resigning thoughts
Paul Wouters
paul at xelerance.com
Thu Feb 3 15:36:54 EST 2011
On Thu, 3 Feb 2011, Kevin Oberman wrote:
>>> I'm not sure if this is an issue in Bert's case. If you resign from
>>> scratch, at least three quarters of the RRsets change anyway, so IXFR
>>> is not very effective.
>>
>> That's why you spread out the RRSIG expiry and re-use RRSIGs
>
> I'm sorry, but how the heck do you "re-use RRSIGs"? I see spreading
> expiry, but I am baffled as to how an RRSIG can be re-used. What am I
> not understanding?
Say you sign with RRSIGs from -1h to (+1w to +3w). And every hour you
re-sign. You can then re-use most of the RRSIGs because they're still
valid if the unsigned data for that RRset has not changed. If a RRSIG
would be valid for less then 1w, you create a new one.
This spreads your CPU load over time, and also reduced IXFR transfers.
Though you still get peak loads when you roll a key or change an NSEC3
salt.
Paul
More information about the Dnssec-deployment
mailing list