[Opendnssec-user] Two questions
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Sep 2 12:37:20 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> I'm running NSD 4.0.3 as a hidden master and OpenDNSSEC 1.4.6 on a
> separate server getting plain zones from the hidden master via DNS
> adapters. Everything is working fine, but occasionally I get the
> following in the logs of OpenDNSSEC:
>
> Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> request udp/ixfr=2373323896 to 192.168.157.46 Sep 2 10:33:08
> srv-signer ods-signerd: [xfrd] bad packet: zone domain.org received
> error code NOTIMPL from 192.168.157.46
OpenDNSSEC requests an IXFR, but NSD does not support (serving) IXFR.
> Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> request axfr to 192.168.157.46 Sep 2 10:33:08 srv-signer
> ods-signerd: [xfrd] zone domain.org got update indicating current
> serial 2014082701 from 192.168.157.46
... And then OpenDNSSEC falls back to AXFR. Everything is fine.
> And the second question: could somebody please explain the reasons
> for increasing ZSK lifetime from 30 to 90 days in the default
> policy?
My guess is that 90 is considered "better" than 30 for people who just
copy the defaults. Those people do not tend to be paranoid.
But maybe Jakob remembers?
$ git show 627d8279
commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509
Author: Jakob Schlyter <jakob at kirei.se>
Date: Wed Apr 18 12:47:28 2012 +0000
Change the default signature validity to 14 days (was 7 days)
Change the default ZSK lifetime to 90 days (was 30 days)
Regards,
Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQFugAACgkQI3PTR4mhavjoiQCfb4ZnyGJy2XKsFGNtZf4YGGic
QKkAoMV860Q60LHSWXBP6bb8vg0l3ALC
=l6Ke
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list