Adjust SyncPublish Interval for dnssec-policy to minimize delay
When enabling the dnssec-policy for a zone in BIND9, I've noticed that the default SyncPublish interval is set to 1 day + 5 minutes.
Steps to reproduce:
- Create a zone:
zone "example.com" {
type master;
file "/var/cache/bind/zones/example.com.zone";
dnssec-policy "default";
inline-signing yes;
key-directory "/var/cache/bind/keys/example.com";
};
- reload bind with
rndc reload
- 3 files generated: .key, .private, .state.
- Inside file, in metadata we can see following:
; This is a key-signing key, keyid 9061, for example.com.
; Created: 20240219101033 (Mon Feb 19 15:10:33 2024)
; Publish: 20240219101033 (Mon Feb 19 15:10:33 2024)
; Activate: 20240219101033 (Mon Feb 19 15:10:33 2024)
; SyncPublish: 20240220111533 (Tue Feb 20 16:15:33 2024)
- It appears more efficient to reduce this interval to just +5 minutes. Currently, the delay incurred by the default interval might lead to potential synchronization issues or delays in propagating changes. By minimizing the interval to +5 minutes, we can ensure timely synchronization of DNSSEC-related updates without unnecessary delay. I couldn't find how to reduce SyncPublish time using custom dnssec-policy