-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
> I'm running NSD 4.0.3 as a hidden master and OpenDNSSEC 1.4.6 on a > separate server getting plain zones from the hidden master via DNS > adapters. Everything is working fine, but occasionally I get the > following in the logs of OpenDNSSEC: > > Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org > request udp/ixfr=2373323896 to 192.168.157.46 Sep 2 10:33:08 > srv-signer ods-signerd: [xfrd] bad packet: zone domain.org received > error code NOTIMPL from 192.168.157.46 OpenDNSSEC requests an IXFR, but NSD does not support (serving) IXFR. > Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org > request axfr to 192.168.157.46 Sep 2 10:33:08 srv-signer > ods-signerd: [xfrd] zone domain.org got update indicating current > serial 2014082701 from 192.168.157.46 ... And then OpenDNSSEC falls back to AXFR. Everything is fine. > And the second question: could somebody please explain the reasons > for increasing ZSK lifetime from 30 to 90 days in the default > policy? My guess is that 90 is considered "better" than 30 for people who just copy the defaults. Those people do not tend to be paranoid. But maybe Jakob remembers? $ git show 627d8279 commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509 Author: Jakob Schlyter <[email protected]> Date: Wed Apr 18 12:47:28 2012 +0000 Change the default signature validity to 14 days (was 7 days) Change the default ZSK lifetime to 90 days (was 30 days) Regards, Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQFugAACgkQI3PTR4mhavjoiQCfb4ZnyGJy2XKsFGNtZf4YGGic QKkAoMV860Q60LHSWXBP6bb8vg0l3ALC =l6Ke -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
