[Opendnssec-user] ods2 signed zone ignores specified Serial format (unixtime), publishes RRSIG SOA with 'datecounter' ?
Yuri Schaeffer
yuri at nlnetlabs.nl
Mon Dec 19 20:03:29 UTC 2016
> From the RRSIG, timestamps are
>
> ... 20161219184751 20161219164734 ...
>
> That, then, appears to be a validity timeframe of only 2+ hours?
>
> What config parameter specifies THAT range?
>
> 2+ hours seems rather short. I *am* currently working with policy == lab
Yes, the lab policy is not anywhere near a sane policy for production.
But it helps for testing, being able to track rollovers and resigns in
realtime. The default policy is a good starting point for actual use.
Main parameters here are signatures/validity/default
+signatures/inceptionoffset +/-signatures/jitter
> So that I understand correctly, the valid signature range IS, or is NOT,
> related to the 'typical' KSK/ZSK rollover times?
It is not. It determines how often signatures are refreshed. It has no
influence on how fast keys will roll.
//Yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161219/8e847316/attachment.bin>
More information about the Opendnssec-user
mailing list