Hey Marco, The best way to do is, is making sure OpenDNSSEC has no cache to work with. In other words: empty the /var/opendnssec/tmp and /signed directories after every manual resign. This way OpenDNSSEC has no signatures to reuse.
Also, OpenDNSSEC 1.1.0 has an issue with the auditor not accepting InceptionOffset of "0". Cheers, Rick -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Marco Davids (SIDN) Sent: Thursday, July 08, 2010 11:59 AM To: [email protected] Subject: [Opendnssec-user] RRSIG reuse thoughts... Dear folks, I am looking into the possibilities of not taking advantage of OpenDNSSEC's signature-reuse capabilities, but instead to regenerate each and every RRSIG from scratch whenever a signing command is issued. I see benefits in such a setup (think of a scenario where resigning is halted, or contact to slaves is lost for some reason - fresh RRSIG's could buy me more time to solve the issue). This config seems to achieve my goal: <Signatures> <Resign>PT594000S</Resign> <Refresh>PT604799S</Refresh> <Validity> <Default>PT604800S</Default> <Denial>PT604800</Denial> </Validity> <Jitter>PT0S</Jitter> <InceptionOffset>PT0S</InceptionOffset> </Signatures> Question is: Is this a desirable setup? And how intelligent and efficient is OpenDNSSEC here? Will it still inspect each and every existing RRSIG, only to find out that it needs to be refreshed? Or will it know that this is not very efficient to do with such a configuration and that it is better to refresh every RRSIG regardlessly? Are there other, better ways to disable signature re-use, or is it discommendable behaviour anyway? Thank you for your insights. -- Marco _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
