In message <2274914.OQEsm7p8Dx@dan>, "Daniel A. Ramaley" writes:
> On 2016-07-05 at 15:26:31 Tony Finch wrote:
> > There is a third option:
> >
> > 3) Maintain zone files with a text editor, and use inline-signing mode
> > to get named to sign them.
> >
> > For option 3 you don't want an update-
Thanks for the clarification.
In terms of config options, I assume we are talking about the following:
dnssec-loadkeys-interval (with a default of 60 minutes)
sig-validity-interval (with a default of 30 days)
So…
A new key should be published for at least [sig-validity-interval] before
deletion
Mathew Ian Eis wrote:
>
> > Are you allowing enough time for named to go through a zone key
> > maintenance cycle? (which is hourly if I remember correctly)
>
> I’m not sure, it sounds like perhaps not always? You’ve
> mentioned a “zone
> key maintenance cycle” of an hour, and the docs also casual
> How promptly are you deleting the key files?
Any time >= deletion time, varying… we think this could explain why only some
of the DNSKEYs are becoming zombies, but not all.
> Are you allowing enough time for named to go through a zone key maintenance
> cycle? (which is hourly if I remember co
On 2016-07-05 at 15:26:31 Tony Finch wrote:
> There is a third option:
>
> 3) Maintain zone files with a text editor, and use inline-signing mode
> to get named to sign them.
>
> For option 3 you don't want an update-policy clause.
OK, that's actually the behavior that i was trying to achieve. E
Daniel A. Ramaley wrote:
>
> From the responses i received, it seems i completely misunderstood how
> automatic signing is supposed to work. If i'm now understanding
> correctly, there are 2 mutually exclusive ways to do things:
> 1) Maintain zone files with a text editor, and sign them manually
On 2016-07-04 at 15:44:32 Tony Finch wrote:
> In most cases it is best to either use `nsupdate` exclusively, or
> directly edit the master file, but not a mixture of the two. If you
> are using `nsupdate` then there is no need for inline-signing.
>From the responses i received, it seems i complet
On Jul 4 2016, G.W. Haywood wrote:
Hi there,
On Mon, 4 Jul 2016, Amit Kumar Gupta wrote:
[An entire digest message, which I've snipped]
It would be extremely helpful to those of us on the digest list, and
generally more polite, if you would NOT include in your posts to the
list, simply in o
8 matches
Mail list logo
