[Opendnssec-develop] separate validity for signatures over DNSKEY
rickard.bellgrim at iis.se
Mon Mar 15 10:20:40 UTC 2010
On 15 mar 2010, at 11.08, Jakob Schlyter wrote:
> On 15 mar 2010, at 11.04, Rickard Bellgrim wrote:
>> What about the refresh-tag?
> the refresh tag doesn't matter - it was an internal signer setting that has been taken care of.
You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
KSK - validity 30 days.
ZSK - validity 7 days.
Refresh KSK RRSIG when it is 15 days until it expires.
Refresh ZSK RRSIG when it is 4 days until it expires.
More information about the Opendnssec-develop