On Tue, 11 Sep 2012, Matthijs Mekking wrote:
The core design of OpenDNSSEC exists of two daemons, the enforcer and
the signer. The enforcer takes care of key management, the signer takes
care of zone management. We made the decision that the enforcer should
not have access to the zone contents. But some zone parameters are
needed in order to implement the correct timings for key rollovers. The
SOA TTL is used to calculate the time RRsets can end up in the NCACHE:
min(SOA TTL, SOA MINIMUM)
Ahh okay. Understood. Perhaps a comment in the stock config file stating
something along these lines would be good, eg:
<!-- Specify the TTL value used in the unsigned zone. This is used by
ods-enforcerd, which does not read zone content, to calculate various
key rollover safety timings
->
It would also be nice to have man pages for the config files, even though
"man kasp.xml" is a little awkward, perhaps migrate that to kasp.conf in
a future major release?
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
