[Opendnssec-user] Divising new policies: parent settings
Tom Hendrikx
tom at whyscream.net
Tue Sep 11 13:36:42 UTC 2012
On 9/11/12 1:12 PM, Sara Dickinson wrote:
>
> On 8 Sep 2012, at 12:07, Tom Hendrikx wrote:
>
>> Is there some resource available that collects all these kind of
>> settings which I missed
>
> Sorry Tom - nothing that I am aware of.
>
> Sara.
>
Yesterday night I found the correct google incantation: 'dnssec policy
statement', but if I want to do it correctly (in my opinion of correct,
on which I also requested feedback from other ops), I still am missing data.
For correct parent settings, I need 4 values:
1) Parent->SOA->TTL: Can be obtained from the SOA RR of the TLD in DNS
directly.
2) Parent->SOA->Minimum: same as above.
3) Parent->DS->TTL: time-to-live for DS RRs. Can be spied from existing
DS RRs in the TLD zone, but ideally should be obtained from the TLD
DNSSEC policy.
4) Parent->PropagationDelay: time until next TLD zone update. Depends on
the interval at which the TLD operator refreshes the zone data, which
should be 'somewhere' in their documentation, but for Verisign I did not
find anything yet.
Finding the DNSSEC policy for a TLD gives me an answer to 3) (after
digging through ~23 pages of mostly legal stuff).
Answer to 4) is AFAICS generally not available in the DNSSEC policy, so
you need to start a new crusade on that :/
Still interested to hear opinions from other openDNSSEC operators on this...
--
Tom
More information about the Opendnssec-user
mailing list