On Thu, Jul 6, 2017 at 5:44 PM, Yuri Schaeffer <[email protected]> wrote:
> Hi Roman,
>
> I'm not 100% sure what you mean. I think you are saying that you used to
> see a daily resign of expired signatures but now you don't. Is that correct?
> Did OpenDNSSEC did a full resign after you upgraded? - This might
> explain why no signatures are expiring /yet/. Can you share your
> kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could
> take a look and assert your expectations.
Hi Yuri,
Thanks for your reply, and sorry for the confusion. Daily resigns is
exactly what I miss after the update.
On 2nd of July I stopped OpenDNSSEC and emptied
/usr/local/var/opendnssec/tmp/. Once started, all zones were resigned,
and I can see the SOA for all zones set to 2017070200 on the public
DNS. Since then there was nothing resigned, except for one zone with
ZSK renewed.
My kasp.xml and conf.xml are attached.
Thank you in advance.
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>XXXXXXXX</PIN>
<SkipPublicKey/>
</Repository>
</RepositoryList>
<Common>
<Logging>
<Verbosity>3</Verbosity>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/usr/local/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/usr/local/etc/opendnssec/zonelist.xml</ZoneListFile>
</Common>
<Enforcer>
<Datastore><SQLite>/usr/local/var/opendnssec/kasp.db</SQLite></Datastore>
<Interval>PT3600S</Interval>
</Enforcer>
<Signer>
<WorkingDirectory>/usr/local/var/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<Listener>
<Interface><Address>192.168.60.203</Address><Port>53</Port></Interface>
</Listener>
</Signer>
</Configuration><?xml version="1.0" encoding="UTF-8"?>
<KASP>
<Policy name="default">
<Description>A default policy that will amaze you and your
friends</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P14D</Default>
<Denial>P14D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
</KASP>_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
