[Opendnssec-user] RRSIG reuse thoughts...

Rick Zijlker rick.zijlker at sidn.nl
Thu Jul 8 12:13:58 UTC 2010 

Hey Marco,

The best way to do is, is making sure OpenDNSSEC has no cache to work with. In other words: empty the /var/opendnssec/tmp and /signed directories after every manual resign. This way OpenDNSSEC has no signatures to reuse. 

Also, OpenDNSSEC 1.1.0 has an issue with the auditor not accepting InceptionOffset of "0". 

Cheers,
Rick

-----Original Message-----
From: opendnssec-user-bounces at lists.opendnssec.org [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Marco Davids (SIDN)
Sent: Thursday, July 08, 2010 11:59 AM
To: opendnssec-user at lists.opendnssec.org
Subject: [Opendnssec-user] RRSIG reuse thoughts...

Dear folks,

I am looking into the possibilities of not taking advantage of
OpenDNSSEC's signature-reuse capabilities, but instead to regenerate
each and every RRSIG from scratch whenever a signing command is issued.
I see benefits in such a setup (think of a scenario where resigning is
halted, or contact to slaves is lost for some reason - fresh RRSIG's
could buy me more time to solve the issue).

This config seems to achieve my goal:

               <Signatures>
                        <Resign>PT594000S</Resign>
                        <Refresh>PT604799S</Refresh>
                        <Validity>
                                        <Default>PT604800S</Default>
                                        <Denial>PT604800</Denial>
                        </Validity>
                        <Jitter>PT0S</Jitter>
                        <InceptionOffset>PT0S</InceptionOffset>
                </Signatures>

Question is: Is this a desirable setup? And how intelligent and
efficient is OpenDNSSEC here? Will it still inspect each and every
existing RRSIG, only to find out that it needs to be refreshed? Or will
it know that this is not very efficient to do with such a configuration
and that it is better to refresh every RRSIG regardlessly?

Are there other, better ways to disable signature re-use, or is it
discommendable behaviour anyway?

Thank you for your insights.

-- 
Marco

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list