[Opendnssec-develop] Few questions

Rick Zijlker rick.zijlker at sidn.nl
Wed Jul 14 14:58:24 UTC 2010

Hey guys,

We are going through some real-life scenario's with ODS and a few questions popped up concerning key management:

-          We configured the publish period at 1 hour now, but it takes 2 hours.

o   Publish safety 20 minutes

o   Zone Propagation delay 30 minutes

o   Zone TTL 10 minutes

Is there any other setting I should take into account? Key TTL? That one is 30 minutes. The key list tells next transition is in 1 hour 20 minutes so it looks more like it uses [PubSaf]+[ZonProp]+[key TTL] to determine publish time. But still it takes 2 hours before the key gets ready state. We resign every 30 minutes.

-          In a zone without DS records, we get 3 NSEC3 RR's. 1 for SOA, NS, TXT and 1 for SRV. I can't figure out which RRset the last NSEC3 record belongs to. Can anyone enlighten me?

-          First time you use ds-seen to activate the first KSK you get an error message concerning retiring an old key, but there ain't one to retire. It might be better to hide this message in case of a first KSK activation.

-          When the first KSK has been published long enough the logging tells you to use "key ksk-roll" while this should be "ds-seen". Has that been fixed after 1.1.0? Since that's the version we are using.

Next to these minor things OpenDNSSEC is running well. In 2-3 weeks we'll start the official acceptance tests in which we incorporate DNSSEC in the network architecture.

Rick Zijlker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100714/8483f1c6/attachment.htm>

More information about the Opendnssec-develop mailing list