Hello, I have dnssec set up for my domains and powerdns made it a dead simple. Its been operating without issue for quite a while now without problem, but then I had a strange network issue and one of my slave servers couldn't get fresh AXFR from the hidden master, resulting in inconsistent data on one of the four servers for my domains, resulting in a periodic dnssec validation failure that was a bit difficult to troubleshoot. I am now adding some more automated testing to my internal systems monitoring regime so that I can be notified in the future if any domain approaches the signature expiration date. But, powerdns seems to assign have relatively short signature expiration times, and I want to understand the process a bit more. It seems like powerdns just always gives a 2 week expiration and doesn't refresh or update that until it has like a week left before expiration. I caught the bit about Thursdays etc and I get that. But, I might want something different... paypal.com for example, seems to always be fresh at 30 days for example. I likely would want a longer expiration than the powerdns default because, if there is a problem, maybe I need some time to fix underlying issues. Or maybe I just like the idea of refreshing the signature once per day. I do trust the developers to know way more than I, but I'd love to know where these knobs are and how to tweak them if possible.
Thanks. Mike- _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
