[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Dec 19 20:03:29 UTC 2016

> From the RRSIG, timestamps are
>    ... 20161219184751 20161219164734 ...
> That, then, appears to be a validity timeframe of only 2+ hours?
> What config parameter specifies THAT range?
> 2+ hours seems rather short. I *am* currently working with policy == lab

Yes, the lab policy is not anywhere near a sane policy for production.
But it helps for testing, being able to track rollovers and resigns in
realtime. The default policy is a good starting point for actual use.

Main parameters here are signatures/validity/default
+signatures/inceptionoffset +/-signatures/jitter

> So that I understand correctly, the valid signature range IS, or is NOT,
> related to the 'typical' KSK/ZSK rollover times?

It is not. It determines how often signatures are refreshed. It has no
influence on how fast keys will roll.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161219/8e847316/attachment.bin>

More information about the Opendnssec-user mailing list