[Opendnssec-user] RRSIG reuse thoughts...

Marco Davids (SIDN) marco.davids at sidn.nl
Thu Jul 8 11:59:12 CEST 2010


Dear folks,

I am looking into the possibilities of not taking advantage of
OpenDNSSEC's signature-reuse capabilities, but instead to regenerate
each and every RRSIG from scratch whenever a signing command is issued.
I see benefits in such a setup (think of a scenario where resigning is
halted, or contact to slaves is lost for some reason - fresh RRSIG's
could buy me more time to solve the issue).

This config seems to achieve my goal:

               <Signatures>
                        <Resign>PT594000S</Resign>
                        <Refresh>PT604799S</Refresh>
                        <Validity>
                                        <Default>PT604800S</Default>
                                        <Denial>PT604800</Denial>
                        </Validity>
                        <Jitter>PT0S</Jitter>
                        <InceptionOffset>PT0S</InceptionOffset>
                </Signatures>

Question is: Is this a desirable setup? And how intelligent and
efficient is OpenDNSSEC here? Will it still inspect each and every
existing RRSIG, only to find out that it needs to be refreshed? Or will
it know that this is not very efficient to do with such a configuration
and that it is better to refresh every RRSIG regardlessly?

Are there other, better ways to disable signature re-use, or is it
discommendable behaviour anyway?

Thank you for your insights.

-- 
Marco




More information about the Opendnssec-user mailing list