Op 19-03-12 17:05, Einar Bjarni Halldórsson schreef: > Hi, > > Since we regenerate our zone automatically every 20 minutes we are using > "keep" as our serial. I see in the logs that I get regular errors because the > signer tries to run but can't because the serial hasn't been incremented. > Since we only call the signer if the serial has been incremented, I guess the > enforcerd is trying to resign some records or something and failing since the > serial hasn't been incremented. > > This got me thinking, what happens if an error or something means we don't > regenerate our zone for a few hour or even days... will the signatures just > become invalid since the enforcerd can't update them?
It depends on the policy set in kasp, but yes, that's the gist of it. From the top of my head is the default policy set to 7 days. After that validation will fail. I've been pondering the question wether or not to raise this significantly. If something goes wrong during a vacation-period there is a real risk that we will not be able to fix it in time. Although I work in a very technical environment I'm not sure if all of my colleagues will be able to fix every DNSSEC-problem. If you are in a less technical environment or are not able to dedicate time DNSSEC whenever it is required the 7 day limit is probably too low. -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
