[Opendnssec-user] PublishSafety and RetireSafety warning
sara at sinodun.com
Wed Feb 5 17:49:19 UTC 2014
On 4 Feb 2014, at 16:43, Emil Natan <shlyoko at gmail.com> wrote:
> I'm following the list for some time, but this is my first email and I presume there will be few more.
Thanks for the mail :-)
> I created some policy and when I run ods-kaspcheck I receive the following warning:
> WARNING: Keys/PublishSafety (7200 seconds) is greater than 5 * TTL (300 seconds) for xxx policy in /usr/local/ods/etc/opendnssec/kasp.xml
> WARNING: Keys/RetireSafety (86400 seconds) is greater than 5 * TTL (300 seconds) for xxx policy in /usr/local/ods/etc/opendnssec/kasp.xml
> I understand what this warning means, but I do not understand why this is bad/not recommended and why the warning is shown?
There is a check in the code that "PublishSafety" and "RetireSafety" margins are not less than 0.1 * TTL or more than 5 * TTL. So it looks like an order of magnitude type check to help catch typos/errors.
Plus, one side effect of having keys around for longer than needed is that it could lead to unnecessarily large answers to DNSKEY queries.
More information about the Opendnssec-user