[Opendnssec-user] SOA TTL behaviour
Paul Wouters
paul at nohats.ca
Tue Sep 11 14:56:55 UTC 2012
On Tue, 11 Sep 2012, Matthijs Mekking wrote:
> The core design of OpenDNSSEC exists of two daemons, the enforcer and
> the signer. The enforcer takes care of key management, the signer takes
> care of zone management. We made the decision that the enforcer should
> not have access to the zone contents. But some zone parameters are
> needed in order to implement the correct timings for key rollovers. The
> SOA TTL is used to calculate the time RRsets can end up in the NCACHE:
>
> min(SOA TTL, SOA MINIMUM)
Ahh okay. Understood. Perhaps a comment in the stock config file stating
something along these lines would be good, eg:
<!-- Specify the TTL value used in the unsigned zone. This is used by
ods-enforcerd, which does not read zone content, to calculate various
key rollover safety timings
->
It would also be nice to have man pages for the config files, even though
"man kasp.xml" is a little awkward, perhaps migrate that to kasp.conf in
a future major release?
Paul
More information about the Opendnssec-user
mailing list