Hi Paul, The core design of OpenDNSSEC exists of two daemons, the enforcer and the signer. The enforcer takes care of key management, the signer takes care of zone management. We made the decision that the enforcer should not have access to the zone contents. But some zone parameters are needed in order to implement the correct timings for key rollovers. The SOA TTL is used to calculate the time RRsets can end up in the NCACHE:
min(SOA TTL, SOA MINIMUM)
Best regards,
Matthijs
On 09/11/2012 12:26 AM, Paul Wouters wrote:
>
> While investigating why a bind signer and an opendnssec signer ended up
> with a different SOA record from the same unsigned zone, I found that
> opendnssec modified the SOA's TTL.
>
> It's behaviour is defined in the kasp.xml <SOA> section that provides
> the override, but does not seem to have an option "keep" (like it does
> for the serial)
>
> I would prefer to not have to hardcode a TTL value outside of the
> unsigned zone file. If this ever changes, someone will forget to
> update the kasp.xml to match the unsigned zonefile's SOA TTL value.
>
> Is there a reason why opendnssec wants to take over control of this
> value?
>
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> [email protected]
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
