-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 1.4.9
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
Ubuntu 16.04.6 LTS
I'm using RFC5011 on my zones because this is the only practical way to get resolvers to keep working if external connectivity is lost, otherwise local zones fail to validate.
Overnight the previous KSK was revoked before waiting for the DS record for the new KSK causing all the zones to fail to validate.
RFC5011 is not intended solely for use by the root zone and it must be possible to continue to use DS records at the same time.
<Policy name="default">
<Description>A default policy that will amaze you and your friends</Description>
<Signatures>
<Resign>P1D</Resign>
<Refresh>P56D</Refresh>
<Validity><Default>P63D</Default><Denial>P63D</Denial></Validity>
<Jitter>P1D</Jitter>
<InceptionOffset>PT1H</InceptionOffset>
</Signatures>
<Denial><NSEC3><Resalt>P100D</Resalt><Hash><Algorithm>1</Algorithm><Iterations>5</Iterations><Salt length="8"/></Hash></NSEC3></Denial>
<Keys>
<TTL>PT1H</TTL>
<RetireSafety>P2D</RetireSafety>
<PublishSafety>P2D</PublishSafety>
<ShareKeys/>
<Purge>P14D</Purge>
<KSK>
<Algorithm length="1536">10</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>0</Standby>
<!-- <ManualRollover/> -->
<RFC5011/>
</KSK>
<ZSK>
<Algorithm length="1280">10</Algorithm>
<Lifetime>P3M</Lifetime>
<Repository>SoftHSM</Repository>
<Standby>0</Standby>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT1H</PropagationDelay>
<SOA><TTL>PT3H</TTL><Minimum>PT1H</Minimum><Serial>datecounter</Serial></SOA>
</Zone>
<Parent>
<PropagationDelay>PT3H</PropagationDelay>
<DS><TTL>P1D</TTL></DS>
<SOA><TTL>P2D</TTL><Minimum>PT3H</Minimum></SOA>
</Parent>
</Policy>