Long time since my last message to the list :) We've been working in a solution to have a separate signing engine in case OpenDNSSEC fails to sign data properly. We've been benefiting from ods4bind.pl (thanks Roy/Jakob) to do this.
Testing so far looks good, with the resulting zones passing the enforcer checks *except* for the signature lifetime. OpenDNSSEC, depending on the policy, will produce different signature lifetime for NSEC/NSEC3 compared to the rest of the signatures. BIND, on the other hand, it doesn't provide that functionality. Reading RFC 4641bis version 11, section 4.4.2.3 mentions why it's a good idea to have different lifetimes, but it's not very strong about it. Is still a good idea to have a different policy? I understand that policy decisions are local and different lifetimes can be avoided by using the same lifetime value for both cases, but I'm trying to understand rather than fixing. Thanks for your wisdom, Cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
