回复: Re: [Opendnssec-user]Signature period not precise

刘硕 shuoleo at 126.com
Tue Aug 21 11:23:22 UTC 2012 

>The signature inception time is a function of the current time and the
>inception offset. Is your InceptionOffset in the kasp.xml policy 9 hours?

No, the InceptionOffset it 3600S, but the point is the signature inception time is earlier not later than the current time,it the opposite.

I signed a zone at 2012082119140544 or so, but the RRSIG SOA is:
example3.       300     IN      RRSIG   SOA 8 1 300 20120821130544 20120821101435 718 example3. RZsMib3Zx

Once authoritative sever loads the zone data above, it will not get authenticated by recursive sever with +dnssec flag.
The policy I used is as follows:
   <Policy name="lab">
                <Description>Quick turnaround policy for lab work</Description>
                <Signatures>
                        <Resign>PT15M</Resign>
                        <Refresh>PT30M</Refresh>
                        <Validity>
                                <Default>PT2H</Default>
                                <Denial>PT1H</Denial>
                        </Validity>
                        <Jitter>PT10M</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                </Signatures>
                 <Denial>
                        <NSEC3>
                                <OptOut/>
                                <Resalt>P100D</Resalt>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>5</Iterations>
                                        <Salt length="8"/>
                                </Hash>
                        </NSEC3>
                </Denial>

                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT3000S</TTL>
                        <RetireSafety>PT360S</RetireSafety>
                        <PublishSafety>PT360S</PublishSafety>
                        <ShareKeys/>
                        <Purge>P1D</Purge>

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">8</Algorithm>
                                <Lifetime>P1Y</Lifetime>
                                <Repository>SoftHSM</Repository>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">8</Algorithm>
                                <Lifetime>PT4H</Lifetime>
                                <Repository>SoftHSM</Repository>
                                <!-- <ManualRollover/> -->
                        </ZSK>
                </Keys>

                <Zone>
                        <PropagationDelay>PT300S</PropagationDelay>
                        <SOA>
                                <TTL>PT300S</TTL>
                                <Minimum>PT300S</Minimum>
                                <Serial>unixtime</Serial>
                        </SOA>
                </Zone>

                <Parent>
                        <PropagationDelay>PT9999S</PropagationDelay>
                        <DS>
                                <TTL>PT3600S</TTL>
                        </DS>
                        <SOA>
                                <TTL>PT172800S</TTL>
                                <Minimum>PT10800S</Minimum>
                        </SOA>
                </Parent>

        </Policy>


Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120821/b4137d45/attachment.htm>

More information about the Opendnssec-user mailing list