[Opendnssec-user] initial config questions: Need <Parent/> stanza? Wha't PropagationDelay?
Sebastian Castro
sebastian at nzrs.net.nz
Thu Apr 28 23:25:54 UTC 2011
On 04/29/2011 05:57 AM, dchilton+opendnssec at bestmail.us wrote:
> Hi.
>
Hi,
> I have a bind9 hidden primary feeding a remote nsd secondary, which
> itself feeds another secondary @ my host which is exposed to the 'net.
>
> I'm installing opendnssec on the bind9 box; I'm walking through the
> install documentation.
>
> @ /etc/opendnssec/kasp.xml, I'm unclear about the need/use of
> <Parent>...</Parent> in my case. Do I need that stanza?
>
Unless your zone it's the root zone, you will need that ;)
> And, in both <Zone>...</Zone> and <Parent>...</Parent>, I note
> <PropagationDelay>PT####S</PropagationDelay>. Where do I get those
> propagation delay values? Iiuc, it's not something I *control*, is it?
> Is it heuristically determined?
>
If you check the documentation about the KASP
http://trac.opendnssec.org/wiki/Signer/Using/Configuration/kasp
you will get a hint of what they mean.
How to get them? Usually from your parent's policy (likely the DPS).
Let's check case by case:
<PropagationDelay> is the interval between the time a new KSK is
published in the zone and the time that the DS record appears in the
parent zone.
-> How long does the parent take to receive, process and publish a DNS
change? 5 minutes? 5 hours?
The <DS> tag holds information about the DS record in the parent. It
contains a single element, <TTL>, which should be set to the TTL of the
DS record in the parent zone.
-> Which TTL they will be using for the DS records? The same as the NS
records? If the parent is already publishing DS records for other child
zones, you can get that from the DNS. If the registry interface allows
you to specify the TTL for the DS records, it's up to you to decide.
<SOA> gives information about parameters of the parent's SOA record,
used by KASP in its calculations. As before, <TTL> is the TTL of the SOA
record and <Minimum> is the value of the "minimum" parameter.
-> You can get this from the SOA record of your parent zone.
I hope it helps
Cheers,
> Thanks,
>
> DCh
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list