[Opendnssec-develop] TTL for signatures
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Aug 11 12:46:23 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/11/2011 01:53 PM, Rick van Rein wrote:
> Hey,
>
>> I think we should go for the second option.
>
> +1
ACK
>> Apart from that, MaxZoneTTL
>> might be a better name than just TTL.
>
> +1
ACK
> I am still confused about making the option mandatory though.
>
> We're changing a hardcoded default into a configurable option,
> and all of a sudden all users who upgrade OpenDNSSEC are then
> "punished" by being forced into studying documentation while
> new users will have a smooth ride because the configfiles contain
> the default. Rather than causing people to read docs, I'm pretty
> sure that they'll just copy the mandatory new attribute from the
> default configs, so they end up (as do the new users) with a setup
> that works due to reasonable defaults, even if they don't fully
> understand it. Since it's been working for them all along with
> a hardcoded setting, it seems strange to bother them now that we
> decided to make it more flexible.
>
> IMHO, making the attribute mandatory conflicts with the pushbutton
> ideal, and it doesn't add any direct usefulness as far as I can tell.
>
> Still, we discussed it yesterday, so I'm merely sharing my
> confusion over what we concluded. I'll leave it to others to
> pickup on this if they agree with me.
The risk I tried to point out yesterday is that when you make a change
in the policy that changes the behavior of the software, you might end
up in unpredicted situations. For example, when we moved Stand-by Keys
to deprecated. The old policy was still accepted by the software that
deprecated Stand-by Keys but did not behave as it did before. This gave
issues.
However, when adding a feature it is probably less troublesome to make
it optional and default to some defined standard behavior.
Best regards,
Matthijs
>
>
> Cheers,
> -Rick
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOQ88fAAoJEA8yVCPsQCW5uTQH/i6H5oiZ8EzKGaGGcIdO99Vr
iWedZdkNRtVZGNIAa2oetKrQiyBXNGQDBpj+xAps3Rwa5vr2FotPOcFzF31DCglX
5OvclykrVh9QJKmlznQOm05rNupp7tkcWkd9CumIZQ9EWe5jbqMHnKPyrN3VreHR
bn+BdI78/UHTY/CfTMt2I6ZpwGg2Fctz5P4MjAG8NiNWs8jyTGPCNMGG0ixMB3lt
hyrVSC4mW9DR1+CpVYvjWNSRFBkShv0Q/1H+3hTYfe+tbMXUok0abF4AHxtOjPFr
doMjifDST3umKWPKndIPx6swqiAdXrQKRLG698xhYLIkP6ZeFJLdmSBrjJA2QSw=
=1VRA
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list