[Opendnssec-develop] Questions unanswered

Olaf Kolkman olaf at NLnetLabs.nl
Thu Jan 15 08:49:49 UTC 2009


FWIW: The fine distinction between singning and refresh seems a good  
definition to rfc4641-bis

Sent from a phone; appologies for the telegram style this message  
might have.

On 14 jan 2009, at 23:29, Jakob Schlyter <jakob at kirei.se> wrote:

> On 14 jan 2009, at 16.07, Matthijs Mekking wrote:
>
>> Question 1 is based on the assumption that the Signer Engine is
>> responsible for re-signing. It is actually not a real question, but a
>> remark: The Signer Engine determines the inception and expiration  
>> times
>> on signatures given the refresh interval value it retrieved from  
>> KASP,
>> right?
>
> correct, altough the signer engine receives configuration data form  
> the kasp enforcer. the actual configuration data is calculated from  
> the KASP (i.e. the policy), but you know that.
>
>
>> Question 2: What's the difference between zone resigning interval and
>> signature refresh interval? Imho, they are the same, but described  
>> differently.
>
> no, they are not quite the same. for some applications (like we do  
> for .se today) we want to run the a signer pass (the resigning  
> interval). in that case the resigning interval is simply what we  
> would have put in cron (.se will resign once every 2 hours, but will  
> keep signatures that are within the refresh window).
>
>
>> Question 4: What is meant with signature jitter and clockskew? Does  
>> this
>> affect the zone content? If so, in what way?
>
> jitter is used to tween the signature lifetimes in order to  
> distribute signature expiration times. from the BIND docs (which I  
> wrote):
>
>           When signing a zone with a fixed signature lifetime, all  
> RRSIG
>           records issued at the time of signing expires  
> simultaneously. If
>           the zone is incrementally signed, i.e. a previously-signed  
> zone is
>           passed as input to the signer, all expired signatures have  
> to be
>           regenerated at about the same time. The jitter option  
> specifies a
>           jitter window that will be used to randomize the signature  
> expire
>           time, thus spreading incremental signature regeneration  
> over time.
>
>           Signature lifetime jitter also to some extent benefits  
> validators
>           and servers by spreading out cache expiration, i.e. if large
>           numbers of RRSIGs don't expire at the same time from all  
> caches
>           there will be less congestion than if all validators need to
>           refetch at mostly the same time.
>
>
>> And an extra question: Why should KASP store the TTL for NSECs.
>
> yes.
>
>> Shouldn't these be derived from the SOA's minimum field for negative
>> caching?
>
> could be, but you might want to tweek those more specific I guess.
>
>
>    jakob
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop



More information about the Opendnssec-develop mailing list