-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mathieu,
I believe that it is correct that the signer puts that much NSEC3 records in the zone. It has two for the domain names d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa. and 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa. and 19 for the empty non-terminals that exist between these two domain names. So perhaps the auditor is complaining unjust. Best regards, Matthijs On 07/14/2010 12:31 PM, Mathieu Arnold wrote: > +--On 14 juillet 2010 11:47:19 +0200 Matthijs Mekking > <matth...@nlnetlabs.nl> wrote: > | -----BEGIN PGP SIGNED MESSAGE----- > | Hash: SHA1 > | > | Hi Mathieu, > | > | That are indeed a lot of NSEC3 records. Could you share with me the > | kasp.xml file you are using for this zone (off list if you like)? > > It's pretty standard, but that's the part : > > <Signatures> > <Resign>PT4H</Resign> > <Refresh>P3D</Refresh> > <Validity> > <Default>P7D</Default> > <Denial>P7D</Denial> > </Validity> > <Jitter>PT6H</Jitter> > <InceptionOffset>PT1H</InceptionOffset> > </Signatures> > > <Denial> > <NSEC3> > <Resalt>P50D</Resalt> > <Hash> > <Algorithm>1</Algorithm> > <Iterations>100</Iterations> > <Salt length="8"/> > </Hash> > </NSEC3> > </Denial> > > <Keys> > <!-- Parameters for both KSK and ZSK --> > <TTL>PT3H</TTL> > <RetireSafety>PT30H</RetireSafety> <!-- P1DT6H > fonctionne pas --> > <PublishSafety>PT30H</PublishSafety> <!-- P1DT6H > fonctionne pas --> > <!-- <ShareKeys/> --> > <Purge>P5D</Purge> > > <!-- Parameters for KSK only --> > <KSK> > <Algorithm length="2048">7</Algorithm> > <Lifetime>P1Y</Lifetime> > <Repository>softHSM</Repository> > <Standby>0</Standby> > </KSK> > > <!-- Parameters for ZSK only --> > <ZSK> > <Algorithm length="1024">7</Algorithm> > <Lifetime>P30D</Lifetime> > <Repository>softHSM</Repository> > <Standby>0</Standby> > </ZSK> > </Keys> > > <Zone> > <PropagationDelay>PT5M</PropagationDelay> > <SOA> > <TTL>PT12H</TTL> > <Minimum>PT12H</Minimum> > <Serial>counter</Serial> > </SOA> > </Zone> > > <Parent> > <PropagationDelay>PT6H</PropagationDelay> > <DS> > <TTL>P2D</TTL> > </DS> > <SOA> > <TTL>PT2H</TTL> > <Minimum>PT6H</Minimum> > </SOA> > </Parent> > > <!-- <Audit/> --> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMPegTAAoJEA8yVCPsQCW5HJcH+QGIp+/y5ke+rcQ85S5BVF/j t3HYqz9h1+AXaxqjAMlVZldBvFTakHnRiVSfa/1W0RWDn2JISNNiZ40jXYGnMNQ+ zVMb2fKjVDQv6sB+f2l1hxofEbwHj4TM8uT+PGgWpRWWpWhQx2ADgtrSJBekzOGN wsVXgMiThRGn/v/YmmPr1lCufsdtisQ0T+KRcupPy9D0a2cyY9gLUjyy+xbLZq8y 9zrS2aJp7h0+5M0ROva1FVt5I2bccyN5ard5TegDMke7Cv+y6iIwOWkoP8O7exty ClnWj7naSTudEwvvPZt47Jo696/baKt1a9rqWa5SZvA/9XGiGPoImafj+YLLr3M= =vyAA -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
