DNSSEC questions
Matthijs Mekking
matthijs at isc.org
Thu Oct 28 07:34:42 UTC 2021
On 27-10-2021 18:48, Alessandro Vesely wrote:
>>> 3. The server produces new .signed and .signed.jnl files every day,
>>> which is inconvenient as the zone files directory is checked by
>>> tripwire. Is that timing determined by the dnskey-ttl? Would it be
>>> okay to set it to one month?
>>
>> The zone is signed if a signature is about to expire. It is not
>> determined by dnskey-ttl. I would exclude these files from tripwire
>> because they need to written out anyway.
>
>
> Then, why does it have to rewrite it every day, if the zone didn't
> change? dnskey-ttl is the only one-day timing thing, except parent-ds-ttl.
It shouldn't. It should only rewrite if there are changes, for example
due to zone updates or due to resigning.
> BTW, DS RR has a ttl of 10800 at the parent; should I copy that to
> parent-ds-ttl in my policy definition?
Yes.
> What for?
To make sure the key rollovers are timed correctly.
In addition, I took a closer look at your policy.
publish-safety P3W;
retire-safety P3W;
The publish-safety and retire-safety are intended to be small margins
added to rollover timings to give some extra time to cover unforeseen
events. The defaults are 1 hour. Maybe you have good reasons to set them
to 3 weeks, but it is remarkably long.
Best regards,
Matthijs
More information about the bind-users
mailing list