[Opendnssec-user] Expected behavior when changing zone policy and problem with key generation
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Jul 28 09:03:43 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> So would it be okay to change timing/ttl parameters in the policy
> itself?
Well... You could do it but you need to be careful. It gets tricky
when you reduce a TTL in the KASP. Some resolvers may cache some
records too long (the old TTL), missing a rollover and declare your
zone bogus.
>> OpenDNSSEC pre-generates keys for later use. Likely a formerly
>> generated but unused key was still available.
>
> But the keylist was empty (there are no other zones in the zonelist
> at the moment) and the zone was not signed at all.
Key list will only show keys that are in use by being assigned to a zone
.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlW3RW8ACgkQI3PTR4mhavg9KACbBESDgXDsM2gNjRmcYcTg+TzU
gT0An0bm+DO6EPdVBkmjbOjjS2pYe0H1
=JOMK
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list