[Opendnssec-user] Keep timestamp and re-sign

Dick Visser visser at terena.org
Tue Mar 20 10:31:11 UTC 2012


On 19 March 2012 17:54, Casper Gielen <c.gielen at uvt.nl> wrote:
>> This got me thinking, what happens if an error or something means we don't regenerate our zone for a few hour or even days... will the signatures just become invalid since the enforcerd can't update them?
>
> It depends on the policy set in kasp, but yes, that's the gist of it.

It might be worth adding these kind of important implications as
comment in the default config files and to the docs.
The information itself is there all-right, but it doesn't really stand out.

Ideally a policy should be based on such real-world questions
("Maximum time for your zone to live without maintenance? ")
(Nagios) monitoring plugins should also keep an eye on it of course...


-- 
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands



More information about the Opendnssec-user mailing list