mirror of
https://github.com/coredns/coredns.git
synced 2026-01-13 12:21:18 -05:00
This reverts commit c4720b8ad2.
This commit is contained in:
Miek Gieben
GitHub
@@ -7,9 +7,9 @@
|
||||
## Description
|
||||
|
||||
The *sign* plugin is used to sign (see RFC 6781) zones. In this process DNSSEC resource records are
|
||||
added to the zone. The signatures that sign the resource records sets have an expiration date. This
|
||||
means the signing process must be repeated before this expiration data is reached. Otherwise the
|
||||
zone's data will go BAD (RFC 4035, Section 5.5). The *sign* plugin takes care of this.
|
||||
added. The signatures that sign the resource records sets have an expiration date, this means the
|
||||
signing process must be repeated before this expiration data is reached. Otherwise the zone's data
|
||||
will go BAD (RFC 4035, Section 5.5). The *sign* plugin takes care of this.
|
||||
|
||||
Only NSEC is supported, *sign* does *not* support NSEC3.
|
||||
|
||||
@@ -29,12 +29,7 @@ it do key or algorithm rollovers - it just signs.
|
||||
|
||||
- the signature only has 14 days left before expiring.
|
||||
|
||||
Both these dates are only checked on the SOA's signature(s). This concerns the DNSSEC data, the
|
||||
*sign* plugin will also take into account and resign if:
|
||||
|
||||
- the **mtime** of the zone file has changed, since the last time it was checked.
|
||||
|
||||
- the signed zone file doesn't exist on disk.
|
||||
Both these dates are only checked on the SOA's signature(s).
|
||||
|
||||
* Create RRSIGs that have an inception of -3 hours (minus a jitter between 0 and 18 hours)
|
||||
and a expiration of +32 (plus a jitter between 0 and 5 days) days for every given DNSKEY.
|
||||
|
||||
Reference in New Issue
Block a user