Still playing with DNSSEC and signing zones.

I'm resigning an already signed zone.

I'm doing this on a hyper-threaded 4-core i7 (Intel(R) Core(TM) i7 CPU
920 @ 2.67GHz) which under linux gives me 8 cores.

I'm using the command:

dnssec-signzone  -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N
increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1
example.com.signed

A minute later - I run the same command - but output to a different
file...   -f example.com.sign-2

A 'diff' of the two output files gives lots of differences - apart from
the zone creation time.

If I include the "-n ncpus" as "-n 1" - then the files are the same
(except for the creation time).

I believe that the data is fundamentally the same - but it is partially
re-ordered if there are multiple threads. This is not what I would have
expected - having had it been drummed into me that dnssec-signzone will
first sort the zone then generate all the RRSIG records - etc...
I find this disturbing. It appears to only be doing this on CNAME
records.

In one file:
www.access.example.com  CNAME  www.entry.example.com
access.example.com      CNAME  entry.example.com

In the next - their order is swapped.


Are these differences in ordering completely ignored when BIND loads the
file into memory?

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to