[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?
yuri at nlnetlabs.nl
Mon Dec 19 20:03:29 UTC 2016
> From the RRSIG, timestamps are
> ... 20161219184751 20161219164734 ...
> That, then, appears to be a validity timeframe of only 2+ hours?
> What config parameter specifies THAT range?
> 2+ hours seems rather short. I *am* currently working with policy == lab
Yes, the lab policy is not anywhere near a sane policy for production.
But it helps for testing, being able to track rollovers and resigns in
realtime. The default policy is a good starting point for actual use.
Main parameters here are signatures/validity/default
> So that I understand correctly, the valid signature range IS, or is NOT,
> related to the 'typical' KSK/ZSK rollover times?
It is not. It determines how often signatures are refreshed. It has no
influence on how fast keys will roll.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user