[Opendnssec-user] Upgrading to 1.1

Mathieu Arnold mat at mat.cc
Wed Jul 14 10:31:48 UTC 2010


+--On 14 juillet 2010 11:47:19 +0200 Matthijs Mekking
<matthijs at NLnetLabs.nl> wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| Hi Mathieu,
| 
| That are indeed a lot of NSEC3 records. Could you share with me the
| kasp.xml file you are using for this zone (off list if you like)?

It's pretty standard, but that's the part :

                <Signatures>
                        <Resign>PT4H</Resign>
                        <Refresh>P3D</Refresh>
                        <Validity>
                                <Default>P7D</Default>
                                <Denial>P7D</Denial>
                        </Validity>
                        <Jitter>PT6H</Jitter>
                        <InceptionOffset>PT1H</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC3>
                                <Resalt>P50D</Resalt>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>100</Iterations>
                                        <Salt length="8"/>
                                </Hash>
                        </NSEC3>
                </Denial>

                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT3H</TTL>
                        <RetireSafety>PT30H</RetireSafety> <!-- P1DT6H
fonctionne pas -->
                        <PublishSafety>PT30H</PublishSafety> <!-- P1DT6H
fonctionne pas -->
                        <!-- <ShareKeys/> -->
                        <Purge>P5D</Purge>

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">7</Algorithm>
                                <Lifetime>P1Y</Lifetime>
                                <Repository>softHSM</Repository>
                                <Standby>0</Standby>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">7</Algorithm>
                                <Lifetime>P30D</Lifetime>
                                <Repository>softHSM</Repository>
                                <Standby>0</Standby>
                        </ZSK>
                </Keys>

                <Zone>
                        <PropagationDelay>PT5M</PropagationDelay>
                        <SOA>
                                <TTL>PT12H</TTL>
                                <Minimum>PT12H</Minimum>
                                <Serial>counter</Serial>
                        </SOA>
                </Zone>

                <Parent>
                        <PropagationDelay>PT6H</PropagationDelay>
                        <DS>
                                <TTL>P2D</TTL>
                        </DS>
                        <SOA>
                                <TTL>PT2H</TTL>
                                <Minimum>PT6H</Minimum>
                        </SOA>
                </Parent>

                <!-- <Audit/> -->

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list