[Opendnssec-develop] Questions unanswered
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Wed Jan 14 15:57:35 UTC 2009
Matthijs Mekking <matthijs at NLnetLabs.nl> wrote on 14/01/2009 15:07:21:
> Hi,
>
> We just decided to handle the questions on the list. So let me repeat my
> questions as well post some new ones:
>
> Question 1 is based on the assumption that the Signer Engine is
> responsible for re-signing. It is actually not a real question, but a
> remark: The Signer Engine determines the inception and expiration times
> on signatures given the refresh interval value it retrieved from KASP,
> right?
That's my understanding; KASP is just a database with logic that will
allow it to list the keys that should be included in the zone (and which
key should be used to sign it) at any given time.
> Question 2: What's the difference between zone resigning interval and
> signature
> refresh interval? Imho, they are the same, but described differently.
That sounds right, but I'm not sure - can anyone else comment?
> Question 3 from the list is already answered, since I have more insight
> in the flow of the OpenDNSSEC tool.
>
> Question 4: What is meant with signature jitter and clockskew? Does this
> affect
> the zone content? If so, in what way?
As I understand it, signature jitter is a means by which the lifetime of
signatures in a zone is varied around some mean so that you don't get all
signatures expiring at the same time. Over a period of time, they should
end up expiring at a continuous rate. This even out the load on a system
where you are doing continuous signing.
Clockskew is the (maximum) amount by which the clocks on the authoritative
server and the validator differ. This needs to be taken into account else
you could have a signature that is valid on the server but expired on the
validator.
>
> And an extra question: Why should KASP store the TTL for NSECs.
> Shouldn't these be derived from the SOA's minimum field for negative
> caching?
Not sure about this.
Stephen
More information about the Opendnssec-develop
mailing list