[Opendnssec-develop] separate validity for signatures over DNSKEY

Jakob Schlyter jakob at kirei.se
Mon Mar 15 10:40:10 UTC 2010

On 15 mar 2010, at 11.32, Rickard Bellgrim wrote:

>>> You probably do not want to share the refresh interval between the ZSK and KSK, if you are splitting the validity.
>>> E.g.:
>>> KSK - validity 30 days.
>>> ZSK - validity 7 days.
>>> Refresh KSK RRSIG when it is 15 days until it expires.
>>> Refresh ZSK RRSIG when it is 4 days until it expires.
>> when we support offline KSK this may be interesting, but as of now when we require the KSK to be online it really doesn't matter.
> So what is the idea of separating the validity period, if you cannot guarantee a higher minimum validity, which is determined by the refresh period.

the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.

> I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.

which is not a problem.


More information about the Opendnssec-develop mailing list