In message <alpine.lfd.1.10.1101121517240.30...@newtla.xelerance.com>, Paul Wou ters writes: > On Wed, 12 Jan 2011, Mark Elkins wrote: > > > dnssec-signzone -3 "abcd" -o example.com -p -t -A -d keyset -g -a -N > > increment -s 20110111161553 -e 20110210161553 -f example.com.sign-1 > > example.com.signed > > > > A minute later - I run the same command - but output to a different > > file... -f example.com.sign-2 > > > > A 'diff' of the two output files gives lots of differences - apart from > > the zone creation time. > > > > If I include the "-n ncpus" as "-n 1" - then the files are the same > > (except for the creation time).
dnssec-signzone uses multiple threads to sign the zone a node at a time. These work items finish in a non-deterministic manner leading to a different order in the resulting text file being produced. This is done after the zone was sorted to generate the NSEC records. > > I believe that the data is fundamentally the same - but it is partially > > re-ordered if there are multiple threads. This is not what I would have > > expected - having had it been drummed into me that dnssec-signzone will > > first sort the zone then generate all the RRSIG records - etc... > > I find this disturbing. It appears to only be doing this on CNAME > > records. > > I'd recommend preprocessing the zone with ldns-read-zone, which also sorts > and canonicalises the zone. Later on, you can then also use this command > to seperate unsigned data from dnssec, and merge in data (eg updates) > from multiple zone versions while re-using previous RRSIGs Firstly there is no need to pre-sort the zone. If one want to canonicalises the zone named-checkzone will do that fine. dnssec-signzone will workout if it needs to regenerate signatures or preserve the existing signatures. > Paul > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
