Hi, One of the SOA serial strategies OpenDNSSEC has is keep. OpenDNSSEC will never change the serial it receives from the master, it will be just copied over. As a consequence only changes to the signed zone can be made when a change from the master comes in. OpenDNSSEC will not be able to refresh signatures (and thus they might expire) until a change comes in. OpenDNSSEC can not ensure validity of a zone.
Personally I think the keep strategy is just generally a bad idea. I'm thinking about deprecating the keep strategy in favour of simpler code and less chance to shoot yourself in the foot. Therefore I'd like to know if there (still) is actually any demand for this feature. An important use case I'm missing. Is anyone using this? Regards, Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
