[Opendnssec-user] Upgrading to 1.1
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Jul 14 16:38:44 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mathieu,
I believe that it is correct that the signer puts that much NSEC3
records in the zone. It has two for the domain names
d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa. and
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa.
and 19 for the empty non-terminals that exist between these two domain
names.
So perhaps the auditor is complaining unjust.
Best regards,
Matthijs
On 07/14/2010 12:31 PM, Mathieu Arnold wrote:
> +--On 14 juillet 2010 11:47:19 +0200 Matthijs Mekking
> <matthijs at NLnetLabs.nl> wrote:
> | -----BEGIN PGP SIGNED MESSAGE-----
> | Hash: SHA1
> |
> | Hi Mathieu,
> |
> | That are indeed a lot of NSEC3 records. Could you share with me the
> | kasp.xml file you are using for this zone (off list if you like)?
>
> It's pretty standard, but that's the part :
>
> <Signatures>
> <Resign>PT4H</Resign>
> <Refresh>P3D</Refresh>
> <Validity>
> <Default>P7D</Default>
> <Denial>P7D</Denial>
> </Validity>
> <Jitter>PT6H</Jitter>
> <InceptionOffset>PT1H</InceptionOffset>
> </Signatures>
>
> <Denial>
> <NSEC3>
> <Resalt>P50D</Resalt>
> <Hash>
> <Algorithm>1</Algorithm>
> <Iterations>100</Iterations>
> <Salt length="8"/>
> </Hash>
> </NSEC3>
> </Denial>
>
> <Keys>
> <!-- Parameters for both KSK and ZSK -->
> <TTL>PT3H</TTL>
> <RetireSafety>PT30H</RetireSafety> <!-- P1DT6H
> fonctionne pas -->
> <PublishSafety>PT30H</PublishSafety> <!-- P1DT6H
> fonctionne pas -->
> <!-- <ShareKeys/> -->
> <Purge>P5D</Purge>
>
> <!-- Parameters for KSK only -->
> <KSK>
> <Algorithm length="2048">7</Algorithm>
> <Lifetime>P1Y</Lifetime>
> <Repository>softHSM</Repository>
> <Standby>0</Standby>
> </KSK>
>
> <!-- Parameters for ZSK only -->
> <ZSK>
> <Algorithm length="1024">7</Algorithm>
> <Lifetime>P30D</Lifetime>
> <Repository>softHSM</Repository>
> <Standby>0</Standby>
> </ZSK>
> </Keys>
>
> <Zone>
> <PropagationDelay>PT5M</PropagationDelay>
> <SOA>
> <TTL>PT12H</TTL>
> <Minimum>PT12H</Minimum>
> <Serial>counter</Serial>
> </SOA>
> </Zone>
>
> <Parent>
> <PropagationDelay>PT6H</PropagationDelay>
> <DS>
> <TTL>P2D</TTL>
> </DS>
> <SOA>
> <TTL>PT2H</TTL>
> <Minimum>PT6H</Minimum>
> </SOA>
> </Parent>
>
> <!-- <Audit/> -->
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMPegTAAoJEA8yVCPsQCW5HJcH+QGIp+/y5ke+rcQ85S5BVF/j
t3HYqz9h1+AXaxqjAMlVZldBvFTakHnRiVSfa/1W0RWDn2JISNNiZ40jXYGnMNQ+
zVMb2fKjVDQv6sB+f2l1hxofEbwHj4TM8uT+PGgWpRWWpWhQx2ADgtrSJBekzOGN
wsVXgMiThRGn/v/YmmPr1lCufsdtisQ0T+KRcupPy9D0a2cyY9gLUjyy+xbLZq8y
9zrS2aJp7h0+5M0ROva1FVt5I2bccyN5ard5TegDMke7Cv+y6iIwOWkoP8O7exty
ClnWj7naSTudEwvvPZt47Jo696/baKt1a9rqWa5SZvA/9XGiGPoImafj+YLLr3M=
=vyAA
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list