[Opendnssec-user] Enforcerd and signerd decoupling

Antti Ristimäki antti.ristimaki at csc.fi
Wed Mar 12 19:13:33 UTC 2014


Hi Matthijs,

10.03.2014 15:59, Matthijs Mekking kirjoitti:
> Just some ideas of how we can fix it in the future. For a short term
> work around, I assume monitoring is your friend.

Actually we already have a quite comprehensive monitoring, but the issue
I described is a bit problematic, if the default PublishSafety value
PT3600s is being used. In that case, one has to be able to react
extremely quickly, no matter how soon your monitoring detects that the
zone is not being updated. I'm not stating that this is a fundamental
flaw in the design of OpenDNSSEC, but I do hope that ODS users recognize
this and make their own assessment whether it would be good to use a
bigger PublishSafety value than the default one. Personally I don't see
any problem in using something like one week PublishSafety, just in case.

I admit that the scenario I described is more or less a corner case, but
the probability of such an issue is nevertheless more than zero. And
during the early years of global DNSSEC deployment, we have seen quite a
many corner cases...

Antti







More information about the Opendnssec-user mailing list