> From the RRSIG, timestamps are > > ... 20161219184751 20161219164734 ... > > That, then, appears to be a validity timeframe of only 2+ hours? > > What config parameter specifies THAT range? > > 2+ hours seems rather short. I *am* currently working with policy == lab
Yes, the lab policy is not anywhere near a sane policy for production. But it helps for testing, being able to track rollovers and resigns in realtime. The default policy is a good starting point for actual use. Main parameters here are signatures/validity/default +signatures/inceptionoffset +/-signatures/jitter > So that I understand correctly, the valid signature range IS, or is NOT, > related to the 'typical' KSK/ZSK rollover times? It is not. It determines how often signatures are refreshed. It has no influence on how fast keys will roll. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
