[Opendnssec-develop] interaction between the Signer and KASP

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Dec 18 13:22:16 UTC 2008

Hash: SHA1


A debate has resulted in some questions and a proposal that affects the
interaction between the Signer and KASP module.

The OpenDNSSEC project designs the Signer as a client to the KASP
module. Whenever the Signer needs to sign stuff, it needs to contact the
KASP module in order to retrieve the security parameters. This might
lead to a lot of traffic between the two modules, since it is expected
that the Signer has to sign a lot. We would like to propose that KASP
signals the Signer in case of any changes had occurred. The KASP already
needs to apply the changes, so we expect that it is little work for the
KASP module to send out a signal after the change is complete. Can we
make that assumption and is there any comment on this proposal?

Furthermore, some questions came to our mind that we could not answer.
Maybe this list can help us out:)

1. From the opendnssec.org website, I assume that the Signer has to
determine the inception and expiration times on signatures. It can
determine this from the refresh interval. (Ok, not a real question:))

2. What's the difference between zone resigning interval and signature
refresh interval? Imho, they are the same, but described differently.

3. What is the priority of changing security parameters? For example, it
could be that the signature validity period has changed. Does this need
to be applied to all signatures directly, or are they applied to
upcoming generated signatures only?

4. What is meant with signature jitter and clockskew? Does this affect
the zone content? If so, in what way?


Matthijs Mekking
NLnet Labs
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list