<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:65422321;
mso-list-type:hybrid;
mso-list-template-ids:-3109682 1250468660 68354051 68354053 68354049 68354051 68354053 68354049 68354051 68354053;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=NL link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal>Hey guys,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span lang=EN-US>We are going through some real-life
scenario’s with ODS and a few questions popped up concerning key
management:<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN-US>We configured the publish
period at 1 hour now, but it takes 2 hours.<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:72.0pt;text-indent:-18.0pt;
mso-list:l0 level2 lfo1'><![if !supportLists]><span lang=EN-US
style='font-family:"Courier New"'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
lang=EN-US>Publish safety 20 minutes<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:72.0pt;text-indent:-18.0pt;
mso-list:l0 level2 lfo1'><![if !supportLists]><span lang=EN-US
style='font-family:"Courier New"'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
lang=EN-US>Zone Propagation delay 30 minutes<o:p></o:p></span></p>
<p class=MsoListParagraph style='margin-left:72.0pt;text-indent:-18.0pt;
mso-list:l0 level2 lfo1'><![if !supportLists]><span lang=EN-US
style='font-family:"Courier New"'><span style='mso-list:Ignore'>o<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
lang=EN-US>Zone TTL 10 minutes<o:p></o:p></span></p>
<p class=MsoListParagraph><span lang=EN-US>Is there any other setting I should
take into account? Key TTL? That one is 30 minutes. The key list tells next
transition is in 1 hour 20 minutes so it looks more like it uses
[PubSaf]+[ZonProp]+[key TTL] to determine publish time. But still it takes 2
hours before the key gets ready state. We resign every 30 minutes.<o:p></o:p></span></p>
<p class=MsoListParagraph><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN-US>In a zone without DS records,
we get 3 NSEC3 RR’s. 1 for SOA, NS, TXT and 1 for SRV. I can’t
figure out which RRset the last NSEC3 record belongs to. Can anyone enlighten
me? <o:p></o:p></span></p>
<p class=MsoListParagraph><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN-US>First time you use ds-seen to
activate the first KSK you get an error message concerning retiring an old key,
but there ain’t one to retire. It might be better to hide this message in
case of a first KSK activation.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
lang=EN-US><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN-US>When the first KSK has been
published long enough the logging tells you to use “key ksk-roll”
while this should be “ds-seen”. Has that been fixed after 1.1.0?
Since that’s the version we are using.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Next to these minor things OpenDNSSEC is
running well. In 2-3 weeks we’ll start the official acceptance tests in
which we incorporate DNSSEC in the network architecture.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Thanks!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Rick Zijlker<o:p></o:p></span></p>
</div>
</body>
</html>