[Opendnssec-develop] Re: [OpenDNSSEC] #68: validity period passed, but no new signatures created

OpenDNSSEC owner-dnssec-trac at kirei.se
Mon Jan 4 13:50:07 CET 2010

#68: validity period passed, but no new signatures created
Reporter:  lijia@…         |       Owner:  matthijs      
    Type:  defect          |      Status:  new           
Priority:  major           |   Component:  Signer        
 Version:  trunk           |    Keywords:  resign, expire

Comment(by lijia@…):

 Replying to [comment:6 rb]:
 > Since <Resign> == <Refresh> you will have cases where signatures are
 reused, but will expire before the next re-sign. <Refresh> should be
 greater than <Resign>.
 > (A signature will be refreshed when it has x seconds until expiration)
 > http://trac.opendnssec.org/wiki/Signer/Using/Configuration/kasp
 > If all of the signatures can be reused, then no new signatures will be
 created. This will be the case for the first 4.5 minutes. But can happen
 more over time depending on if all of the signatures will expire around
 the same time.

 I do not quit understand the purpose of refresh. Do you mean that rrsig
 will recreate at the time (expiration_time - refresh)?

Ticket URL: <http://trac.opendnssec.org/ticket/68#comment:7>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list