On 2010-11-27 13:09, Marc Lampo wrote: > Q2: Does Bind "automatic" resigning take the TTL into account ? > (so that it does not resign later then "present expiration" - "TTL") Depending on the configuration:
>sig-validity-interval >Specifies the number of days into the future when DNSSEC signatures >automatically generated as a result of dynamic updates (the section >called "Dynamic Update") will expire. There is an optional second field which >specifies how long before expiry that the signatures will be >regenerated. If not specified, the signatures will be regenerated at 1/4 of >base interval. The second field is specified in days if the base >interval is greater than 7 days otherwise it is specified in hours. The >default base interval is 30 days giving a re-signing interval of 7 >1/2 days. The maximum values are 10 years (3660 days). > >The signature inception time is unconditionally set to one hour before the >current time to allow for a limited amount of clock skew. > >The sig-validity-interval should be, at least, several multiples of the SOA >expire interval to allow for reasonable interaction between the >various timer and expiry dates. If your TTL is longer than 7.5 days, bind will NOT resign correctly without this option. greetings, Niobos _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
