On 04/29/2011 05:57 AM, [email protected] wrote: > Hi. >
Hi, > I have a bind9 hidden primary feeding a remote nsd secondary, which > itself feeds another secondary @ my host which is exposed to the 'net. > > I'm installing opendnssec on the bind9 box; I'm walking through the > install documentation. > > @ /etc/opendnssec/kasp.xml, I'm unclear about the need/use of > <Parent>...</Parent> in my case. Do I need that stanza? > Unless your zone it's the root zone, you will need that ;) > And, in both <Zone>...</Zone> and <Parent>...</Parent>, I note > <PropagationDelay>PT####S</PropagationDelay>. Where do I get those > propagation delay values? Iiuc, it's not something I *control*, is it? > Is it heuristically determined? > If you check the documentation about the KASP http://trac.opendnssec.org/wiki/Signer/Using/Configuration/kasp you will get a hint of what they mean. How to get them? Usually from your parent's policy (likely the DPS). Let's check case by case: <PropagationDelay> is the interval between the time a new KSK is published in the zone and the time that the DS record appears in the parent zone. -> How long does the parent take to receive, process and publish a DNS change? 5 minutes? 5 hours? The <DS> tag holds information about the DS record in the parent. It contains a single element, <TTL>, which should be set to the TTL of the DS record in the parent zone. -> Which TTL they will be using for the DS records? The same as the NS records? If the parent is already publishing DS records for other child zones, you can get that from the DNS. If the registry interface allows you to specify the TTL for the DS records, it's up to you to decide. <SOA> gives information about parameters of the parent's SOA record, used by KASP in its calculations. As before, <TTL> is the TTL of the SOA record and <Minimum> is the value of the "minimum" parameter. -> You can get this from the SOA record of your parent zone. I hope it helps Cheers, > Thanks, > > DCh > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
