[Opendnssec-develop] separate validity for signatures over DNSKEY

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Mar 15 10:20:40 UTC 2010

On 15 mar 2010, at 11.08, Jakob Schlyter wrote:

> On 15 mar 2010, at 11.04, Rickard Bellgrim wrote:
>> What about the refresh-tag?
> the refresh tag doesn't matter - it was an internal signer setting that has been taken care of.

You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.


KSK - validity 30 days.
ZSK - validity 7 days.

Refresh KSK RRSIG when it is 15 days until it expires.
Refresh ZSK RRSIG when it is 4 days until it expires.

// Rickard

More information about the Opendnssec-develop mailing list