On 12/19/2016 11:38 AM, Yuri Schaeffer wrote:
egrep -i "serial|SOA" /var/opendnssec/signed/example.info
example.info. 300 IN SOA dns.example.com.
soacontact.example.com. 1482169654 7200 1800 604800 300
example.info. 300 IN RRSIG SOA 8 2 300
20161219184751 20161219164734 38544 example.info. pib...U=
shouldn't the 'unixtime' format be used consistently/unchanged in the
RRSIG SOA record as well?
You are mixing two concepts.
The SOA record indeed has a unixtime serial like you specified. The
timestamps you see in the RRSIG SOA (or any other RRSIG in your zone)
are *not* serial numbers. They represent the actual times in which
between this signature is valid.
The SOA serial format is available for creative uses since the only
requirement is that it increases for each zone version. The RRSIG
timestamps are not to be tampered with.
Aha, ok.
From the RRSIG, timestamps are
... 20161219184751 20161219164734 ...
That, then, appears to be a validity timeframe of only 2+ hours?
What config parameter specifies THAT range?
2+ hours seems rather short. I *am* currently working with policy == lab ...
So that I understand correctly, the valid signature range IS, or is NOT,
related to the 'typical' KSK/ZSK rollover times?
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
