On 9/11/12 1:12 PM, Sara Dickinson wrote: > > On 8 Sep 2012, at 12:07, Tom Hendrikx wrote: > >> Is there some resource available that collects all these kind of >> settings which I missed > > Sorry Tom - nothing that I am aware of. > > Sara. >
Yesterday night I found the correct google incantation: 'dnssec policy statement', but if I want to do it correctly (in my opinion of correct, on which I also requested feedback from other ops), I still am missing data. For correct parent settings, I need 4 values: 1) Parent->SOA->TTL: Can be obtained from the SOA RR of the TLD in DNS directly. 2) Parent->SOA->Minimum: same as above. 3) Parent->DS->TTL: time-to-live for DS RRs. Can be spied from existing DS RRs in the TLD zone, but ideally should be obtained from the TLD DNSSEC policy. 4) Parent->PropagationDelay: time until next TLD zone update. Depends on the interval at which the TLD operator refreshes the zone data, which should be 'somewhere' in their documentation, but for Verisign I did not find anything yet. Finding the DNSSEC policy for a TLD gives me an answer to 3) (after digging through ~23 pages of mostly legal stuff). Answer to 4) is AFAICS generally not available in the DNSSEC policy, so you need to start a new crusade on that :/ Still interested to hear opinions from other openDNSSEC operators on this... -- Tom _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
