[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?
PGNet Dev
pgnet.dev at gmail.com
Mon Dec 19 19:47:57 UTC 2016
On 12/19/2016 11:38 AM, Yuri Schaeffer wrote:
>> egrep -i "serial|SOA" /var/opendnssec/signed/example.info
>> example.info. 300 IN SOA dns.example.com.
>> soacontact.example.com. 1482169654 7200 1800 604800 300
>> example.info. 300 IN RRSIG SOA 8 2 300
>> 20161219184751 20161219164734 38544 example.info. pib...U=
>>
>> shouldn't the 'unixtime' format be used consistently/unchanged in the
>> RRSIG SOA record as well?
>
> You are mixing two concepts.
>
> The SOA record indeed has a unixtime serial like you specified. The
> timestamps you see in the RRSIG SOA (or any other RRSIG in your zone)
> are *not* serial numbers. They represent the actual times in which
> between this signature is valid.
>
> The SOA serial format is available for creative uses since the only
> requirement is that it increases for each zone version. The RRSIG
> timestamps are not to be tampered with.
Aha, ok.
From the RRSIG, timestamps are
... 20161219184751 20161219164734 ...
That, then, appears to be a validity timeframe of only 2+ hours?
What config parameter specifies THAT range?
2+ hours seems rather short. I *am* currently working with policy == lab ...
So that I understand correctly, the valid signature range IS, or is NOT,
related to the 'typical' KSK/ZSK rollover times?
More information about the Opendnssec-user
mailing list