On 27-10-2021 18:48, Alessandro Vesely wrote:
3. The server produces new .signed and .signed.jnl files every day,
which is inconvenient as the zone files directory is checked by
tripwire. Is that timing determined by the dnskey-ttl? Would it be
okay to set it to one month?
The zone is signed if a signature is about to expire. It is not
determined by dnskey-ttl. I would exclude these files from tripwire
because they need to written out anyway.
Then, why does it have to rewrite it every day, if the zone didn't
change? dnskey-ttl is the only one-day timing thing, except parent-ds-ttl.
It shouldn't. It should only rewrite if there are changes, for example
due to zone updates or due to resigning.
BTW, DS RR has a ttl of 10800 at the parent; should I copy that to
parent-ds-ttl in my policy definition?
Yes.
> What for?
To make sure the key rollovers are timed correctly.
In addition, I took a closer look at your policy.
publish-safety P3W;
retire-safety P3W;
The publish-safety and retire-safety are intended to be small margins
added to rollover timings to give some extra time to cover unforeseen
events. The defaults are 1 hour. Maybe you have good reasons to set them
to 3 weeks, but it is remarkably long.
Best regards,
Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users