On 2010-09-17 12:15, Tony Finch wrote: > On 17 Sep 2010, at 10:44, Niobos <nio...@dest-unreach.be > <mailto:nio...@dest-unreach.be>> wrote: >> >> In my opinion, BIND should have resigned this by now: The signature is >> valid until a little over 2 days. This means that if the slave would >> loose contact with the master right now, it will give out signatures >> that will expire before their TTL does. >> According to my calculations, RRSIGs should be regenerated zone-expire + >> RR-ttl seconds before the RRSIG expires. > > You have to manually set the zone expiry time, TTLs, signature lifetime, > and re-signing time consistently. > > The documentation for 9.7.1 says: > > *sig-validity-interval* > * > * > *Specifies the number of days into the future when DNSSEC signatures > automatically generated as a result of dynamic updates (the section > called “Dynamic Update” > <http://dotat.at/tmp/arm97/Bv9ARM.ch04.html#dynamic_update>) will > expire. There is an optional second field which specifies how long > before expiry that the signatures will be regenerated. If not specified, > the signatures will be regenerated at 1/4 of base interval. The second > field is specified in days if the base interval is greater than 7 days > otherwise it is specified in hours. The default base interval > is |30| days giving a re-signing interval of 7 1/2 days. The maximum > values are 10 years (3660 days).*** Wonderful, exactly what I was looking for.
Unfortunately, this mail is the first place where I find a reference to this second field. My Google-searches of "bind arm sig-validity-interval" only return the single-field descriptions (eg http://training.nlnetlabs.nl/Documentation/bind-arm/Bv9ARM.ch06.html#zone_statement_grammar ); even the man-page of my installation says: sig-validity-interval integer; note the absence of the second field. Is the current version of the ARM available online somewhere? Thx, Niobos _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users