In the same way that NSD has the "AXFR" flag to specify only to try AXFR transfers... would it not be appropriate for OpenDNSSEC to have something similar - so the logfile ends up with no failed IXFR attempts?
Just a thought. (Can't remember seeing the option) On Tue, 2014-09-02 at 14:37 +0200, Yuri Schaeffer wrote: > Hi, > > > I'm running NSD 4.0.3 as a hidden master and OpenDNSSEC 1.4.6 on a > > separate server getting plain zones from the hidden master via DNS > > adapters. Everything is working fine, but occasionally I get the > > following in the logs of OpenDNSSEC: > > > > Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org > > request udp/ixfr=2373323896 to 192.168.157.46 Sep 2 10:33:08 > > srv-signer ods-signerd: [xfrd] bad packet: zone domain.org received > > error code NOTIMPL from 192.168.157.46 > > OpenDNSSEC requests an IXFR, but NSD does not support (serving) IXFR. > > > Sep 2 10:33:08 srv-signer ods-signerd: [xfrd] zone domain.org > > request axfr to 192.168.157.46 Sep 2 10:33:08 srv-signer > > ods-signerd: [xfrd] zone domain.org got update indicating current > > serial 2014082701 from 192.168.157.46 > > ... And then OpenDNSSEC falls back to AXFR. Everything is fine. > > > And the second question: could somebody please explain the reasons > > for increasing ZSK lifetime from 30 to 90 days in the default > > policy? > > My guess is that 90 is considered "better" than 30 for people who just > copy the defaults. Those people do not tend to be paranoid. > > But maybe Jakob remembers? > > $ git show 627d8279 > commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509 > Author: Jakob Schlyter <[email protected]> > Date: Wed Apr 18 12:47:28 2012 +0000 > > Change the default signature validity to 14 days (was 7 days) > Change the default ZSK lifetime to 90 days (was 30 days) > > Regards, > Yuri > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
