[Opendnssec-develop] separate validity for signatures over DNSKEY

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Mar 15 10:32:15 UTC 2010


>> You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
>> 
>> E.g.:
>> 
>> KSK - validity 30 days.
>> ZSK - validity 7 days.
>> 
>> Refresh KSK RRSIG when it is 15 days until it expires.
>> Refresh ZSK RRSIG when it is 4 days until it expires.
> 
> when we support offline KSK this may be interesting, but as of now when we require the KSK to be online it really doesn't matter.

So what is the idea of separating the validity period, if you cannot guarantee a higher minimum validity, which is determined by the refresh period.

I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.

// Rickard


More information about the Opendnssec-develop mailing list