On 17 Sep 2010, at 10:44, Niobos <nio...@dest-unreach.be> wrote:
>
> In my opinion, BIND should have resigned this by now: The signature is
> valid until a little over 2 days. This means that if the slave would
> loose contact with the master right now, it will give out signatures
> that will expire before their TTL does.
> According to my calculations, RRSIGs should be regenerated zone-expire +
> RR-ttl seconds before the RRSIG expires.
You have to manually set the zone expiry time, TTLs, signature lifetime, and
re-signing time consistently.
The documentation for 9.7.1 says:
sig-validity-interval
Specifies the number of days into the future when DNSSEC signatures
automatically generated as a result of dynamic updates (the section called
“Dynamic Update”) will expire. There is an optional second field which
specifies how long before expiry that the signatures will be regenerated. If
not specified, the signatures will be regenerated at 1/4 of base interval. The
second field is specified in days if the base interval is greater than 7 days
otherwise it is specified in hours. The default base interval is 30 days giving
a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660
days).
The signature inception time is unconditionally set to one hour before the
current time to allow for a limited amount of clock skew.
The sig-validity-interval should be, at least, several multiples of the SOA
expire interval to allow for reasonable interaction between the various timer
and expiry dates.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
