<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello Sion, <br>
<br>
In my case ( with a TTL of 1 hour, a refresh period of 21 days and
a signature validity time of 28 days ) after 7 days ( and a bit )
there will be no record signed with the old ZSK anymore. After
that moment the old ZSK is useless and can be thrown away I
think. So it could be calculated by extracting the refresh from
the validity time ( with some extra time fore the time between
runs of the enforcer, the TTL etc. ). If it would be possible to
have an option to have the signerd resign all records with the
new ZSK after the rollover then in my case the retire period could
even be much shorter than a week. And there would be no
requirement to use a maximum TTL parameter. <br>
<br>
This is the way I see it. But maybe I`m overlooking something as
I find all this timing stuff quite complicated.<br>
<br>
With kind regards, <br>
<br>
Maurice<br>
<br>
<br>
<br>
<br>
On 05/02/2014 02:58 PM, Siôn Lloyd wrote:<br>
</div>
<blockquote cite="mid:53639659.4080006@nominet.org.uk" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Maurice.<br>
<br>
We are aware of the overly long ZSK retire period; however the
fix would require a new parameter that describes the maximum TTL
within the signed zone. This has been added to the enforcer 2.0
code but in the 1.X code we use the signature lifetime as it is
a safe value to use.<br>
<br>
Note that new signatures are only being created by one ZSK so
the only penalty is a larger DNSKEY RRset.<br>
<br>
Sion<br>
<br>
On 02/05/14 13:16, Maurice Mahieu wrote:<br>
</div>
<blockquote cite="mid:53638C8C.9060201@info.nl" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div class="moz-cite-prefix">Hello Yuri and Matthijs. <br>
<br>
I understand now why the behaviour is like this. I have a
refresh period of 21 days. The reason that it is this long is
that if opendnsssec would break down in some way there is
absolutely no stress to fix it ( except for dns changes ). I
wonder if there is any<b> </b>disadvantage in having double
ZSK`s for such a long period. <br>
<br>
<br>
With kind regards, <br>
<br>
Maurice<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 05/02/2014 09:14 AM, Matthijs Mekking wrote:<br>
</div>
<blockquote cite="mid:536345CB.40206@nlnetlabs.nl" type="cite">
<pre wrap="">On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Maurice,
</pre>
<blockquote type="cite">
<pre wrap="">I noticed that the signature validity time gets added to the
retire period for keys. I am wondering why this is ? I have a TTL
of 1 hour for the keys. My signature validity time is 28 days.
With a TTL of 1H for the keys I think that normally it would be
safe for the old ZSK to stay in the retire state for a few hours
and then be marked dead.
</pre>
</blockquote>
<pre wrap="">Well the fact that your keys (i.e. DNSKEY records) will be cached for
1H says nothing about the TTL of the other records. Signatures get the
TTL of the records they are signing. As long as these records are
still cached the key must be (post)published.
</pre>
<blockquote type="cite">
<pre wrap="">But now it wil be in the retire state for 28 days. I think this is
strange. Or am I missing something ?
</pre>
</blockquote>
<pre wrap="">What you are missing is what the signer does. Instead of generating
all new signatures with the new key at once it will only replace the
(soon to be) expired signatures. And keep both the new and old key
published until this transition is done. Which could potentially take
the validity time.
</pre>
</blockquote>
<pre wrap="">This is called a smooth rollover.
Your keys will be in the retire state for about 28 days. The signer will
indeed reuse signatures created by the old key, as long as the time it
takes before those sigs are expired is longer than the Refresh period.
So if for example your Refresh period is set to 3 days (which is the
default), the rollover should be about 25 days plus some hours in the
retire state.
If you don't want the smooth rollover behavior, set the Refresh period
to PT0S.
Best regards,
Matthijs
</pre>
<blockquote type="cite">
<pre wrap="">//Yuri
_______________________________________________
Opendnssec-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Opendnssec-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="color:#000000;font-family:georgia;font-size:8pt;line-height:12pt;margin-left:-4px;padding:0;">
<tbody>
<tr>
<td style="font-size:10pt;line-height:12pt;"> Maurice
Mahieu </td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:15pt;">
System Engineer | <a moz-do-not-send="true"
href="mailto:maurice@info.nl"
style="color:#000;text-decoration:none;">maurice@info.nl</a>
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:16pt;padding-bottom:3pt">
<a moz-do-not-send="true" href="http://www.info.nl"
style="text-decoration:none;"> <span
style="background-color:#000;color:#fff;font-size:14pt;text-decoration:none;display:inline-block;padding:4px
5px;margin-bottom:-5px;margin-right:-5px"><no
link="">info.nl</no></span> </a> <a
moz-do-not-send="true"
href="http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig"
style="color:#000;text-decoration:none;"><em
style="color:#000;text-decoration:none;">connecting
the dots</em></a> </td>
</tr>
<tr>
<td
style="font-family:georgia;font-size:10pt;line-height:12pt;padding-bottom:15pt;color:#000">
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | <a
moz-do-not-send="true" href="tel:+31205309111"
style="color:#000;text-decoration:none;">+31 (0)20
530 91 11</a> </td>
</tr>
</tbody>
</table>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opendnssec-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="color:#000000;font-family:georgia;font-size:8pt;line-height:12pt;margin-left:-4px;padding:0;">
<tbody>
<tr>
<td style="font-size:10pt;line-height:12pt;"> Maurice Mahieu
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:15pt;">
System Engineer | <a href="mailto:maurice@info.nl"
style="color:#000;text-decoration:none;">maurice@info.nl</a>
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:16pt;padding-bottom:3pt">
<a href="http://www.info.nl" style="text-decoration:none;">
<span
style="background-color:#000;color:#fff;font-size:14pt;text-decoration:none;display:inline-block;padding:4px
5px;margin-bottom:-5px;margin-right:-5px"><no link="">info.nl</no></span>
</a> <a
href="http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig"
style="color:#000;text-decoration:none;"><em
style="color:#000;text-decoration:none;">connecting
the dots</em></a> </td>
</tr>
<tr>
<td
style="font-family:georgia;font-size:10pt;line-height:12pt;padding-bottom:15pt;color:#000">
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | <a
href="tel:+31205309111"
style="color:#000;text-decoration:none;">+31 (0)20 530
91 11</a> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>