[Opendnssec-develop] Questions unanswered

Jakob Schlyter jakob at kirei.se
Wed Jan 14 22:29:39 UTC 2009 

On 14 jan 2009, at 16.07, Matthijs Mekking wrote:

> Question 1 is based on the assumption that the Signer Engine is
> responsible for re-signing. It is actually not a real question, but a
> remark: The Signer Engine determines the inception and expiration  
> times
> on signatures given the refresh interval value it retrieved from KASP,
> right?

correct, altough the signer engine receives configuration data form  
the kasp enforcer. the actual configuration data is calculated from  
the KASP (i.e. the policy), but you know that.


> Question 2: What's the difference between zone resigning interval and
> signature refresh interval? Imho, they are the same, but described  
> differently.

no, they are not quite the same. for some applications (like we do  
for .se today) we want to run the a signer pass (the resigning  
interval). in that case the resigning interval is simply what we would  
have put in cron (.se will resign once every 2 hours, but will keep  
signatures that are within the refresh window).


> Question 4: What is meant with signature jitter and clockskew? Does  
> this
> affect the zone content? If so, in what way?

jitter is used to tween the signature lifetimes in order to distribute  
signature expiration times. from the BIND docs (which I wrote):

            When signing a zone with a fixed signature lifetime, all  
RRSIG
            records issued at the time of signing expires  
simultaneously. If
            the zone is incrementally signed, i.e. a previously-signed  
zone is
            passed as input to the signer, all expired signatures have  
to be
            regenerated at about the same time. The jitter option  
specifies a
            jitter window that will be used to randomize the signature  
expire
            time, thus spreading incremental signature regeneration  
over time.

            Signature lifetime jitter also to some extent benefits  
validators
            and servers by spreading out cache expiration, i.e. if large
            numbers of RRSIGs don't expire at the same time from all  
caches
            there will be less congestion than if all validators need to
            refetch at mostly the same time.


> And an extra question: Why should KASP store the TTL for NSECs.

yes.

> Shouldn't these be derived from the SOA's minimum field for negative
> caching?

could be, but you might want to tweek those more specific I guess.


	jakob

More information about the Opendnssec-develop mailing list