[Opendnssec-user] Different Default signature validity versus Denial signature validity

Sebastian Castro sebastian at nzrs.net.nz
Wed Apr 18 03:33:54 UTC 2012

Long time since my last message to the list :)

We've been working in a solution to have a separate signing engine in
case OpenDNSSEC fails to sign data properly. We've been benefiting from
ods4bind.pl (thanks Roy/Jakob) to do this.

Testing so far looks good, with the resulting zones passing the enforcer
checks *except* for the signature lifetime. OpenDNSSEC, depending on the
policy, will produce different signature lifetime for NSEC/NSEC3
compared to the rest of the signatures. BIND, on the other hand, it
doesn't provide that functionality.

Reading RFC 4641bis version 11, section mentions why it's a good
idea to have different lifetimes, but it's not very strong about it. Is
still a good idea to have a different policy? I understand that policy
decisions are local and different lifetimes can be avoided by using the
same lifetime value for both cases, but I'm trying to understand rather
than fixing.

Thanks for your wisdom,

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list