[Opendnssec-develop] separate validity for signatures over DNSKEY

Jakob Schlyter jakob at kirei.se
Mon Mar 15 10:22:47 UTC 2010


On 15 mar 2010, at 11.20, Rickard Bellgrim wrote:

> On 15 mar 2010, at 11.08, Jakob Schlyter wrote:
> 
>> On 15 mar 2010, at 11.04, Rickard Bellgrim wrote:
>> 
>>> What about the refresh-tag?
>> 
>> the refresh tag doesn't matter - it was an internal signer setting that has been taken care of.
> 
> You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
> 
> E.g.:
> 
> KSK - validity 30 days.
> ZSK - validity 7 days.
> 
> Refresh KSK RRSIG when it is 15 days until it expires.
> Refresh ZSK RRSIG when it is 4 days until it expires.

when we support offline KSK this may be interesting, but as of now when we require the KSK to be online it really doesn't matter.

	jakob




More information about the Opendnssec-develop mailing list