-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2012 04:56 PM, Paul Wouters wrote: > On Tue, 11 Sep 2012, Matthijs Mekking wrote: > >> The core design of OpenDNSSEC exists of two daemons, the enforcer >> and the signer. The enforcer takes care of key management, the >> signer takes care of zone management. We made the decision that >> the enforcer should not have access to the zone contents. But >> some zone parameters are needed in order to implement the correct >> timings for key rollovers. The SOA TTL is used to calculate the >> time RRsets can end up in the NCACHE: >> >> min(SOA TTL, SOA MINIMUM) > > Ahh okay. Understood. Perhaps a comment in the stock config file > stating something along these lines would be good, eg: > > <!-- Specify the TTL value used in the unsigned zone. This is used > by ods-enforcerd, which does not read zone content, to calculate > various key rollover safety timings ->
Yes. > > It would also be nice to have man pages for the config files, even > though "man kasp.xml" is a little awkward, perhaps migrate that to > kasp.conf in a future major release? Good idea. I have created a report for this: https://issues.opendnssec.org/browse/OPENDNSSEC-328 In the meantime, you can look up the documentation here https://wiki.opendnssec.org/display/DOCS/Configuration+files (for 1.3.x) and here https://wiki.opendnssec.org/display/DOCSTRUNK/Configuration+files (for the upcoming 1.4 release) > > Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQUEC2AAoJEA8yVCPsQCW5U+EH/1yjJec9NyhXs4B2VcMnj1JX JbRJVKjpb+Q1gjK+H9Ia/9laiO9kmmFpQz/3oP75SQWgYaCVUvxGtuDM8McXMMI2 c8Dvn/DajQXcIM7VqZ6ggH6o60uhGYknrWwlDKGNjqbE/9q2M9ggnNbMyhsB2XDS xT3N+M4vJbNj+7Ca3QwmmjQjYnVIYT91d4bEOXXhXDjuBRvEN7tj3Z5UHFshlQsr TZk4tO/5pn4OafXYcljtLqbzmXBbPbpdGXK21xf2AvcDbZwQU8Qxrw0WVMdNJzHL VRFcbW35kUiQwOsSSPlfVRCbIBiOr5HDx3K4L70QXYKfx0fEdJ9U3xGROwtnCAs= =7Wa/ -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
