[Opendnssec-develop] Few questions
Sion Lloyd
sion at nominet.org.uk
Wed Jul 14 15:21:05 UTC 2010
just the enforcer-specific questions...
> - We configured the publish period at 1 hour now, but it takes 2
> hours.
>
> o Publish safety 20 minutes
>
> o Zone Propagation delay 30 minutes
>
> o Zone TTL 10 minutes
>
> Is there any other setting I should take into account? Key TTL? That one is
> 30 minutes. The key list tells next transition is in 1 hour 20 minutes so
> it looks more like it uses [PubSaf]+[ZonProp]+[key TTL] to determine
> publish time. But still it takes 2 hours before the key gets ready state.
> We resign every 30 minutes.
The key will not change state until the enforcer runs; what is the enforcer
run interval?
> - First time you use ds-seen to activate the first KSK you get an
> error message concerning retiring an old key, but there ain't one to
> retire. It might be better to hide this message in case of a first KSK
> activation.
That is true. I'll add it to pivotal.
> - When the first KSK has been published long enough the logging
> tells you to use "key ksk-roll" while this should be "ds-seen". Has that
> been fixed after 1.1.0? Since that's the version we are using.
That is fixed in 1.1.1.
> Next to these minor things OpenDNSSEC is running well. In 2-3 weeks we'll
> start the official acceptance tests in which we incorporate DNSSEC in the
> network architecture.
Cool.
Sion
More information about the Opendnssec-develop
mailing list