[Opendnssec-user] Two questions

Mark Elkins mje at posix.co.za
Tue Sep 2 15:47:31 CEST 2014


In the same way that NSD has the "AXFR" flag to specify only to try AXFR
transfers... would it not be appropriate for OpenDNSSEC to have
something similar - so the logfile ends up with no failed IXFR attempts?

Just a thought.

(Can't remember seeing the option)

 
On Tue, 2014-09-02 at 14:37 +0200, Yuri Schaeffer wrote:
> Hi,
> 
> > I'm running NSD 4.0.3 as a hidden master and OpenDNSSEC 1.4.6 on a 
> > separate server getting plain zones from the hidden master via DNS 
> > adapters. Everything is working fine, but occasionally I get the 
> > following in the logs of OpenDNSSEC:
> > 
> > Sep  2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> > request udp/ixfr=2373323896 to 192.168.157.46 Sep  2 10:33:08
> > srv-signer ods-signerd: [xfrd] bad packet: zone domain.org received
> > error code NOTIMPL from 192.168.157.46
> 
> OpenDNSSEC requests an IXFR, but NSD does not support (serving) IXFR.
> 
> > Sep  2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org
> > request axfr to 192.168.157.46 Sep  2 10:33:08 srv-signer
> > ods-signerd: [xfrd] zone domain.org got update indicating current
> > serial 2014082701 from 192.168.157.46
> 
> ... And then OpenDNSSEC falls back to AXFR. Everything is fine.
> 
> > And the second question: could somebody please explain the reasons
> > for increasing ZSK lifetime from 30 to 90 days in the default
> > policy?
> 
> My guess is that 90 is considered "better" than 30 for people who just
> copy the defaults. Those people do not tend to be paranoid.
> 
> But maybe Jakob remembers?
> 
> $ git show 627d8279
> commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509
> Author: Jakob Schlyter <jakob at kirei.se>
> Date:   Wed Apr 18 12:47:28 2012 +0000
> 
>     Change the default signature validity to 14 days (was 7 days)
>     Change the default ZSK lifetime to 90 days (was 30 days)
> 
> Regards,
> Yuri
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140902/34c7f61f/attachment.bin>


More information about the Opendnssec-user mailing list