-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2012 09:49 AM, Yuri Schaeffer wrote: > Hi Dick, > > On 03/03/12 10:43, Dick Visser wrote: >> I see that in kasp.xml a couple of values from the input zone are >> overridden. For TTL and Minimum of the SOA record, I want these >> to be just the same as my input zone, but AFAIK there is no way >> to do this, other than manually filling in the same value.
You can create a new policy for that zone. > The reason for this manual work is in the design of OpenDNSSEC. > The enforcer deals with concepts of keys and policies while the > signer does actual work on the data. > > Therefore it is decided that the enforcer does not need or care > about the data (your zonefiles). This is unfortunately not entirely > true. To make decisions about the speed and order of events the > enforcer needs to know these values. > >> The Serial value has an option "keep" which keeps whatever is in >> the input zone. Would it be an idea to have this option also for >> TTL and Minimum? If you create a policy with the same values as in the unsigned zone file, wouldn't that solve your problems? Or do you have a zone where the TTL and Minimum of the SOA RR are changed alot (I couldn't imagine why)? It is technically possible to have such options for TTL and Minimum, I am not convinced if it is a good idea. > The signer is the only part parsing the zone file right now. > Supporting this is not trivial. It is technically possible to have this, even without having the enforcer parse the zone file. Best regards, Matthijs > > Regards, Yuri > >> If such an option would exists, it should be a sane default as >> well, so it would make sense to have the default policy >> configured like that too... > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPVJlmAAoJEA8yVCPsQCW5c3QH/1Ww7WcZpjqgHM7a1XPwL+/9 5Tb2GbJcv/i1kd9c1eBLmDqM1xofZWc1pvOIRMxTyjH6ZjTiGjF+jR8rz0NhERBa mwf8T7RHO7Jfdv0y40bO7MkYpWaQ0GoabbQUgtW6muVsr5gIsxEF59p6Q/mrwqmn zcQfkQXPt5vGttb/wGV7EzYP85cH8LJ/sF86pXeHn9crWuGSFNY1QmrHrvvZDiFx 4VMhegCObaBv30r4POUrx3X9oo2K428sWZibkqaHizMJoQe/Bpsw/BdgAYeAQj3h SRN/xFKeFo6BmASifukuzKO5XvxBejgk0iemPUfI0z8F6XgEkVdTenlqZCVlPj8= =NHr2 -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
