[Opendnssec-user] Zone updates with 1.4.14
Roman Serbski
mefystofel at gmail.com
Fri Jul 7 08:28:09 UTC 2017
On Thu, Jul 6, 2017 at 5:44 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
> Hi Roman,
>
> I'm not 100% sure what you mean. I think you are saying that you used to
> see a daily resign of expired signatures but now you don't. Is that correct?
> Did OpenDNSSEC did a full resign after you upgraded? - This might
> explain why no signatures are expiring /yet/. Can you share your
> kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could
> take a look and assert your expectations.
Hi Yuri,
Thanks for your reply, and sorry for the confusion. Daily resigns is
exactly what I miss after the update.
On 2nd of July I stopped OpenDNSSEC and emptied
/usr/local/var/opendnssec/tmp/. Once started, all zones were resigned,
and I can see the SOA for all zones set to 2017070200 on the public
DNS. Since then there was nothing resigned, except for one zone with
ZSK renewed.
My kasp.xml and conf.xml are attached.
Thank you in advance.
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>XXXXXXXX</PIN>
<SkipPublicKey/>
</Repository>
</RepositoryList>
<Common>
<Logging>
<Verbosity>3</Verbosity>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/usr/local/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/usr/local/etc/opendnssec/zonelist.xml</ZoneListFile>
</Common>
<Enforcer>
<Datastore><SQLite>/usr/local/var/opendnssec/kasp.db</SQLite></Datastore>
<Interval>PT3600S</Interval>
</Enforcer>
<Signer>
<WorkingDirectory>/usr/local/var/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<Listener>
<Interface><Address>192.168.60.203</Address><Port>53</Port></Interface>
</Listener>
</Signer>
</Configuration>
-------------- next part --------------
<?xml version="1.0" encoding="UTF-8"?>
<KASP>
<Policy name="default">
<Description>A default policy that will amaze you and your friends</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P14D</Default>
<Denial>P14D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
</KASP>
More information about the Opendnssec-user
mailing list