[Opendnssec-user] SOA TTL behaviour

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Sep 12 07:58:46 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2012 04:56 PM, Paul Wouters wrote:
> On Tue, 11 Sep 2012, Matthijs Mekking wrote:
> 
>> The core design of OpenDNSSEC exists of two daemons, the enforcer
>> and the signer. The enforcer takes care of key management, the
>> signer takes care of zone management. We made the decision that
>> the enforcer should not have access to the zone contents. But
>> some zone parameters are needed in order to implement the correct
>> timings for key rollovers. The SOA TTL is used to calculate the
>> time RRsets can end up in the NCACHE:
>> 
>> min(SOA TTL, SOA MINIMUM)
> 
> Ahh okay. Understood. Perhaps a comment in the stock config file
> stating something along these lines would be good, eg:
> 
> <!-- Specify the TTL value used in the unsigned zone. This is used
> by ods-enforcerd, which does not read zone content, to calculate
> various key rollover safety timings ->

Yes.

> 
> It would also be nice to have man pages for the config files, even
> though "man kasp.xml" is a little awkward, perhaps migrate that to
> kasp.conf in a future major release?

Good idea. I have created a report for this:
https://issues.opendnssec.org/browse/OPENDNSSEC-328

In the meantime, you can look up the documentation here

https://wiki.opendnssec.org/display/DOCS/Configuration+files (for 1.3.x)

and here

https://wiki.opendnssec.org/display/DOCSTRUNK/Configuration+files (for
the upcoming 1.4 release)


> 
> Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUEC2AAoJEA8yVCPsQCW5U+EH/1yjJec9NyhXs4B2VcMnj1JX
JbRJVKjpb+Q1gjK+H9Ia/9laiO9kmmFpQz/3oP75SQWgYaCVUvxGtuDM8McXMMI2
c8Dvn/DajQXcIM7VqZ6ggH6o60uhGYknrWwlDKGNjqbE/9q2M9ggnNbMyhsB2XDS
xT3N+M4vJbNj+7Ca3QwmmjQjYnVIYT91d4bEOXXhXDjuBRvEN7tj3Z5UHFshlQsr
TZk4tO/5pn4OafXYcljtLqbzmXBbPbpdGXK21xf2AvcDbZwQU8Qxrw0WVMdNJzHL
VRFcbW35kUiQwOsSSPlfVRCbIBiOr5HDx3K4L70QXYKfx0fEdJ9U3xGROwtnCAs=
=7Wa/
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list