On 4 Feb 2014, at 16:43, Emil Natan <[email protected]> wrote: > Hello, > > I'm following the list for some time, but this is my first email and I > presume there will be few more.
Hi Emil, Thanks for the mail :-) > > I created some policy and when I run ods-kaspcheck I receive the following > warning: > > WARNING: Keys/PublishSafety (7200 seconds) is greater than 5 * TTL (300 > seconds) for xxx policy in /usr/local/ods/etc/opendnssec/kasp.xml > WARNING: Keys/RetireSafety (86400 seconds) is greater than 5 * TTL (300 > seconds) for xxx policy in /usr/local/ods/etc/opendnssec/kasp.xml > > I understand what this warning means, but I do not understand why this is > bad/not recommended and why the warning is shown? There is a check in the code that "PublishSafety" and "RetireSafety" margins are not less than 0.1 * TTL or more than 5 * TTL. So it looks like an order of magnitude type check to help catch typos/errors. Plus, one side effect of having keys around for longer than needed is that it could lead to unnecessarily large answers to DNSKEY queries. Sara. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
