Re: [knot-dns-users] Knot DNS 1.4.2 patch release

Hi Jan, On 27 Jan 2014, at 16:26 , Jan Včelák <jan.vcelak(a)nic.cz> wrote: Congratulations! Now, that's a surprise ;-) And here my only comment is (as you well know by now) that I like simple things, because more complicated things break in new and inventive ways. An authoritative server that didn't try to sign zones would never have had a deadlock like this. That said, I do understand that the signing stuff is brand new, and of course new code has bugs, and as the bugs are found they get fixed, which is good. But there will be more bugs in Knot because of this added complexity than otherwise. And this is a concern to me. In this particular area I think BIND9 has it right. To begin with BIND9 uses 1/4 of the signature lifetime as the default for when to resign. In addition to that there is a configuration parameter called "resigning interval" which specifies the amount of "remaining lifetime" in the signature before it will get resigned. I.e. with a signature lifetime of ten days and a resigning interval of four days the zone will get resigned every six days if nothing else changes. This makes a lot of sense, because a fixed percentage of the signature lifetime simply doesn't work for very long or very short lifetimes. Of course they are skipped, because they didn't fit, but that is what Knot did before also, I think. Do I understand this correctly that the change is only that you no longer set the TC bit when excluding RRSIGs from Additional? If so, then that is the correct fix. Regards, Johan