[Opendnssec-user] Two questions

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Sep 2 14:37:20 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

> I'm running NSD 4.0.3 as a hidden master and OpenDNSSEC 1.4.6 on a 
> separate server getting plain zones from the hidden master via DNS 
> adapters. Everything is working fine, but occasionally I get the 
> following in the logs of OpenDNSSEC:
> 
> Sep  2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> request udp/ixfr=2373323896 to 192.168.157.46 Sep  2 10:33:08
> srv-signer ods-signerd: [xfrd] bad packet: zone domain.org received
> error code NOTIMPL from 192.168.157.46

OpenDNSSEC requests an IXFR, but NSD does not support (serving) IXFR.

> Sep  2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> request axfr to 192.168.157.46 Sep  2 10:33:08 srv-signer
> ods-signerd: [xfrd] zone domain.org got update indicating current
> serial 2014082701 from 192.168.157.46

... And then OpenDNSSEC falls back to AXFR. Everything is fine.

> And the second question: could somebody please explain the reasons
> for increasing ZSK lifetime from 30 to 90 days in the default
> policy?

My guess is that 90 is considered "better" than 30 for people who just
copy the defaults. Those people do not tend to be paranoid.

But maybe Jakob remembers?

$ git show 627d8279
commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509
Author: Jakob Schlyter <jakob at kirei.se>
Date:   Wed Apr 18 12:47:28 2012 +0000

    Change the default signature validity to 14 days (was 7 days)
    Change the default ZSK lifetime to 90 days (was 30 days)

Regards,
Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQFugAACgkQI3PTR4mhavjoiQCfb4ZnyGJy2XKsFGNtZf4YGGic
QKkAoMV860Q60LHSWXBP6bb8vg0l3ALC
=l6Ke
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list