[Opendnssec-develop] Questions unanswered

Wed Jan 14 15:57:35 UTC 2009

Matthijs Mekking <matthijs at NLnetLabs.nl> wrote on 14/01/2009 15:07:21:

> Hi,
> 
> We just decided to handle the questions on the list. So let me repeat my
> questions as well post some new ones:
> 
> Question 1 is based on the assumption that the Signer Engine is
> responsible for re-signing. It is actually not a real question, but a
> remark: The Signer Engine determines the inception and expiration times
> on signatures given the refresh interval value it retrieved from KASP,
> right?

That's my understanding; KASP is just a database with logic that will 
allow it to list the keys that should be included in the zone (and which 
key should be used to sign it) at any given time.

> Question 2: What's the difference between zone resigning interval and
> signature
> refresh interval? Imho, they are the same, but described differently.

That sounds right, but I'm not sure - can anyone else comment?

> Question 3 from the list is already answered, since I have more insight
> in the flow of the OpenDNSSEC tool.
> 
> Question 4: What is meant with signature jitter and clockskew? Does this
> affect
> the zone content? If so, in what way?

As I understand it, signature jitter is a means by which the lifetime of 
signatures in a zone is varied around some mean so that you don't get all 
signatures expiring at the same time.  Over a period of time, they should 
end up expiring at a continuous rate.  This even out the load on a system 
where you are doing continuous signing.

Clockskew is the (maximum) amount by which the clocks on the authoritative 
server and the validator differ.  This needs to be taken into account else 
you could have a signature that is valid on the server but expired on the 
validator.

> 
> And an extra question: Why should KASP store the TTL for NSECs.
> Shouldn't these be derived from the SOA's minimum field for negative
> caching?

Not sure about this.

Stephen