Hello, Le 13 déc. 2013 à 15:43, Klaus Darilion a écrit :
> On 13.12.2013 15:21, Emmanuel Thierry wrote: >> Hello >> (First time posting on this ML) >> >> After several months of waiting, i'm testing DNSSEC deployment with some on >> my domains, using opendnssec software. >> However, some principles still are hard to envision for dummies, especially >> time schedules. >> >> As an example, RFC 6781 shows a very clear timeline on section 4.4.2.2 about >> signature validity. But it miss it for any other operation (KSK or ZSK >> rollover, DS publication in the parent zone, ...). Concretely, it implies >> that system administrators who are not DNSSEC experts may have a lot trouble >> to understand what exactly mean each configuration parameters in softwares >> stick really tightly to RFC 6781 such as opendnssec. In consequence, DNSSEC >> configuration looks like black magic that will work (because software is >> made to do so) but we don't know why... >> In my very specific case, i don't understand which of my parameters makes >> the KSK to take one day to be considered as "published" when my zones TTL >> are set to 3600. > > Maybe you have configured a long "propagation delay". > See https://wiki.opendnssec.org/display/DOCS/kasp.xml Indeed, it worked when i reduced the PropagationDelay field from the Zone block (it was the most logical candidate). >> >> Does material exists to explicit graphically (in an ideal way) each specific >> key and DNSSEC records life cycle, in the same manner of section 4.4.2.2 ? > > Have you checked: > https://wiki.opendnssec.org/display/DOCS/Key+Rollovers and > http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-03 Lot clearer ! I think any system administrator deploying DNSSEC-enabled authoritative servers should have it ! ;) However, i still wonder how, for instance, the PropagationDelay field from the Parent block is used. The zone were automatically marked "active" when i set it ds-seen. I would have expected OpenDNSSEC to wait for PropagationDelay to mark it active according to the timeline you refer to (PropagationDelay == "Dreg" ?). Anyway, we are a bit switching to OpenDNSSEC internals. Best regards Emmanuel Thierry _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
