[Opendnssec-develop] Re: Auditor files

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Jul 5 10:30:57 UTC 2010


On 5 jul 2010, at 10.21, Alex Dalitz wrote:

> HI Rickard - 
> 
> Sorry I didn't get a chance to check code in for this over the weekend.

No worries

> I have three questions :
> 
> 1) Should we actually be supporting this in the first place? i.e. allowing people to shoot themselves in the foot by having a shorter signature lifetime than TTL?

Yes, since that check would be part of ods-kaspcheck. The auditor should check that the signer has put the correct TTL in RR, since the policy is not for a resolver but the signer.

> 2) If so, could you please also test the partial auditor fix? I include partial_auditor.rb, which you can run  by installing and using the "-p" flag with the auditor. It would be intersting to ensure it failed before checking that the fix fixed it.

It works.

> 3) Does ods-kaspcheck pick this up?

No, we should have a check here for that. But that is something we can do for 1.2

rickard at fou:~/opendnssec/signed$ ods-kaspcheck 
WARNING: InceptionOffset is higher than expected (3600 seconds) for default policy in /home/rickard/opendnssec/kasp.xml
WARNING: Keys/PublishSafety (0 seconds) in Policy1 policy in /home/rickard/opendnssec/kasp.xml is less than 0.1 * TTL (60 seconds)
WARNING: Keys/RetireSafety (0 seconds) in Policy1 policy in /home/rickard/opendnssec/kasp.xml is less than 0.1 * TTL (60 seconds)
WARNING: Keys/PublishSafety (0 seconds) in Policy2 policy in /home/rickard/opendnssec/kasp.xml is less than 0.1 * TTL (900 seconds)
WARNING: Keys/RetireSafety (0 seconds) in Policy2 policy in /home/rickard/opendnssec/kasp.xml is less than 0.1 * TTL (900 seconds)

> If we *do* want the fix, and the partial_auditor is OK, then I'll check in all the files (I have also prepared fixes for the trunk).
> 
> I'll be online sporadically throughout the day. If I hear back from you in the positive, then I'll upload the patches to subversion.
> 
> Thanks!
> 
> 
> Alex.

And the fix you did for key rollovers is also working.

// Rickard


More information about the Opendnssec-develop mailing list