[Opendnssec-user] Keep timestamp and re-sign

Casper Gielen c.gielen at uvt.nl
Mon Mar 19 16:54:29 UTC 2012


Op 19-03-12 17:05, Einar Bjarni Halldórsson schreef:
> Hi,
> 
> Since we regenerate our zone automatically every 20 minutes we are using "keep" as our serial. I see in the logs that I get regular errors because the signer tries to run but can't because the serial hasn't been incremented. Since we only call the signer if the serial has been incremented, I guess the enforcerd is trying to resign some records or something and failing since the serial hasn't been incremented.
> 
> This got me thinking, what happens if an error or something means we don't regenerate our zone for a few hour or even days... will the signatures just become invalid since the enforcerd can't update them? 

It depends on the policy set in kasp, but yes, that's the gist of it.
From the top of my head is the default policy set to 7 days. After that
validation will fail. I've been pondering the question wether or not to
raise this significantly. If something goes wrong during a
vacation-period there is a real risk that we will not be able to fix it
in time.
Although I work in a very technical environment I'm not sure if all of
my colleagues will be able to fix every DNSSEC-problem. If you are in a
less technical environment or are not able to dedicate time DNSSEC
whenever it is required the 7 day limit is probably too low.
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120319/48c98cc6/attachment.bin>


More information about the Opendnssec-user mailing list