[Opendnssec-develop] separate validity for signatures over DNSKEY

Jakob Schlyter jakob at kirei.se
Mon Mar 15 10:40:10 UTC 2010


On 15 mar 2010, at 11.32, Rickard Bellgrim wrote:

> 
>>> You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
>>> 
>>> E.g.:
>>> 
>>> KSK - validity 30 days.
>>> ZSK - validity 7 days.
>>> 
>>> Refresh KSK RRSIG when it is 15 days until it expires.
>>> Refresh ZSK RRSIG when it is 4 days until it expires.
>> 
>> when we support offline KSK this may be interesting, but as of now when we require the KSK to be online it really doesn't matter.
> 
> So what is the idea of separating the validity period, if you cannot guarantee a higher minimum validity, which is determined by the refresh period.

the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.


> I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.

which is not a problem.

	j




More information about the Opendnssec-develop mailing list