[Opendnssec-develop] Enforcer NG kasp policy checks

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Aug 9 10:02:53 UTC 2012

> Aug  9 10:18:36 debian64-ods01 ods-enforcerd: [enforcer] updatePolicy
> Key lifetime unreasonably short with respect to TTL and MaxZoneTTL.
> Will not insert key!

> Or is this maybe that MaxZoneTTL is new and does not have a default value?

The MaxZoneTTL directive is new, the default value is 24 hours. This is
hardcoded with the same value in 1.x.

For 1.x having a key lifetime shorter then the time it takes to roll a
key isn't a problem - it performs just one rollover at the time and is
thus bound by the TTLs anyway, lifetime is stretched. Whereas for 2.x
the enforcer would never fully complete a roll, always hopping to the
next new key, so this is refused.

This affects users that try to rollover MORE then possible, which in 1.x
is bound to something *somewhat* sane... Among other features, 2.x
supports insanity. ;)

I think this is the only case where the enforcer-ng outright refuses to
take action instead of delaying.


More information about the Opendnssec-develop mailing list