[Opendnssec-develop] separate validity for signatures over DNSKEY
Jakob Schlyter
jakob at kirei.se
Mon Mar 15 10:40:10 UTC 2010
On 15 mar 2010, at 11.32, Rickard Bellgrim wrote:
>
>>> You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
>>>
>>> E.g.:
>>>
>>> KSK - validity 30 days.
>>> ZSK - validity 7 days.
>>>
>>> Refresh KSK RRSIG when it is 15 days until it expires.
>>> Refresh ZSK RRSIG when it is 4 days until it expires.
>>
>> when we support offline KSK this may be interesting, but as of now when we require the KSK to be online it really doesn't matter.
>
> So what is the idea of separating the validity period, if you cannot guarantee a higher minimum validity, which is determined by the refresh period.
the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.
> I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.
which is not a problem.
j
More information about the Opendnssec-develop
mailing list