[Opendnssec-user] SOA element overrides in kasp.xml

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Mar 5 10:45:58 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2012 09:49 AM, Yuri Schaeffer wrote:
> Hi Dick,
> 
> On 03/03/12 10:43, Dick Visser wrote:
>> I see that in kasp.xml a couple of values from the input zone are
>> overridden. For TTL and Minimum of the SOA record, I want these
>> to be just the same as my input zone, but AFAIK there is no way
>> to do this, other than manually filling in the same value.

You can create a new policy for that zone.

> The reason for this manual work is in the design of OpenDNSSEC.
> The enforcer deals with concepts of keys and policies while the
> signer does actual work on the data.
> 
> Therefore it is decided that the enforcer does not need or care
> about the data (your zonefiles). This is unfortunately not entirely
> true. To make decisions about the speed and order of events the
> enforcer needs to know these values.
> 
>> The Serial value has an option "keep" which keeps whatever is in
>> the input zone. Would it be an idea to have this option also for
>> TTL and Minimum?

If you create a policy with the same values as in the unsigned zone
file, wouldn't that solve your problems? Or do you have a zone where
the TTL and Minimum of the SOA RR are changed alot (I couldn't imagine
why)?

It is technically possible to have such options for TTL and Minimum, I
am not convinced if it is a good idea.

> The signer is the only part parsing the zone file right now.
> Supporting this is not trivial.

It is technically possible to have this, even without having the
enforcer parse the zone file.

Best regards,
  Matthijs

> 
> Regards, Yuri
> 
>> If such an option would exists, it should be a sane default as
>> well, so it would make sense to have the default policy
>> configured like that too...
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPVJlmAAoJEA8yVCPsQCW5c3QH/1Ww7WcZpjqgHM7a1XPwL+/9
5Tb2GbJcv/i1kd9c1eBLmDqM1xofZWc1pvOIRMxTyjH6ZjTiGjF+jR8rz0NhERBa
mwf8T7RHO7Jfdv0y40bO7MkYpWaQ0GoabbQUgtW6muVsr5gIsxEF59p6Q/mrwqmn
zcQfkQXPt5vGttb/wGV7EzYP85cH8LJ/sF86pXeHn9crWuGSFNY1QmrHrvvZDiFx
4VMhegCObaBv30r4POUrx3X9oo2K428sWZibkqaHizMJoQe/Bpsw/BdgAYeAQj3h
SRN/xFKeFo6BmASifukuzKO5XvxBejgk0iemPUfI0z8F6XgEkVdTenlqZCVlPj8=
=NHr2
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list