[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?

PGNet Dev pgnet.dev at gmail.com
Mon Dec 19 19:47:57 UTC 2016


On 12/19/2016 11:38 AM, Yuri Schaeffer wrote:
>>     egrep -i "serial|SOA" /var/opendnssec/signed/example.info
>>         example.info.     300     IN      SOA     dns.example.com.
>> soacontact.example.com. 1482169654 7200 1800 604800 300
>>         example.info.     300     IN      RRSIG   SOA 8 2 300
>> 20161219184751 20161219164734 38544 example.info. pib...U=
>>
>> shouldn't the 'unixtime' format be used consistently/unchanged in the
>> RRSIG SOA record as well?
>
> You are mixing two concepts.
>
> The SOA record indeed has a unixtime serial like you specified. The
> timestamps you see in the RRSIG SOA (or any other RRSIG in your zone)
> are *not* serial numbers. They represent the actual times in which
> between this signature is valid.
>
> The SOA serial format is available for creative uses since the only
> requirement is that it increases for each zone version. The RRSIG
> timestamps are not to be tampered with.

Aha, ok.

 From the RRSIG, timestamps are

    ... 20161219184751 20161219164734 ...

That, then, appears to be a validity timeframe of only 2+ hours?

What config parameter specifies THAT range?

2+ hours seems rather short. I *am* currently working with policy == lab ...

So that I understand correctly, the valid signature range IS, or is NOT, 
related to the 'typical' KSK/ZSK rollover times?



More information about the Opendnssec-user mailing list