[Opendnssec-develop] Few questions

Sion Lloyd sion at nominet.org.uk
Wed Jul 14 15:21:05 UTC 2010

just the enforcer-specific questions...

> -          We configured the publish period at 1 hour now, but it takes 2
> hours.
> o   Publish safety 20 minutes
> o   Zone Propagation delay 30 minutes
> o   Zone TTL 10 minutes
> Is there any other setting I should take into account? Key TTL? That one is
> 30 minutes. The key list tells next transition is in 1 hour 20 minutes so
> it looks more like it uses [PubSaf]+[ZonProp]+[key TTL] to determine
> publish time. But still it takes 2 hours before the key gets ready state.
> We resign every 30 minutes.

The key will not change state until the enforcer runs; what is the enforcer 
run interval?

> -          First time you use ds-seen to activate the first KSK you get an
> error message concerning retiring an old key, but there ain't one to
> retire. It might be better to hide this message in case of a first KSK
> activation.

That is true. I'll add it to pivotal.

> -          When the first KSK has been published long enough the logging
> tells you to use "key ksk-roll" while this should be "ds-seen". Has that
> been fixed after 1.1.0? Since that's the version we are using.

That is fixed in 1.1.1.

> Next to these minor things OpenDNSSEC is running well. In 2-3 weeks we'll
> start the official acceptance tests in which we incorporate DNSSEC in the
> network architecture.



More information about the Opendnssec-develop mailing list