[Opendnssec-user] Upgrading to 1.1
Mathieu Arnold
mat at mat.cc
Wed Jul 14 10:31:48 UTC 2010
+--On 14 juillet 2010 11:47:19 +0200 Matthijs Mekking
<matthijs at NLnetLabs.nl> wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Hi Mathieu,
|
| That are indeed a lot of NSEC3 records. Could you share with me the
| kasp.xml file you are using for this zone (off list if you like)?
It's pretty standard, but that's the part :
<Signatures>
<Resign>PT4H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P7D</Default>
<Denial>P7D</Denial>
</Validity>
<Jitter>PT6H</Jitter>
<InceptionOffset>PT1H</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Resalt>P50D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>100</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3H</TTL>
<RetireSafety>PT30H</RetireSafety> <!-- P1DT6H
fonctionne pas -->
<PublishSafety>PT30H</PublishSafety> <!-- P1DT6H
fonctionne pas -->
<!-- <ShareKeys/> -->
<Purge>P5D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">7</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>softHSM</Repository>
<Standby>0</Standby>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">7</Algorithm>
<Lifetime>P30D</Lifetime>
<Repository>softHSM</Repository>
<Standby>0</Standby>
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT5M</PropagationDelay>
<SOA>
<TTL>PT12H</TTL>
<Minimum>PT12H</Minimum>
<Serial>counter</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT6H</PropagationDelay>
<DS>
<TTL>P2D</TTL>
</DS>
<SOA>
<TTL>PT2H</TTL>
<Minimum>PT6H</Minimum>
</SOA>
</Parent>
<!-- <Audit/> -->
--
Mathieu Arnold
More information about the Opendnssec-user
mailing list