[Opendnssec-develop] separate validity for signatures over DNSKEY

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Mar 15 10:48:57 UTC 2010


the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.

Yes, so you do want to have the possibility to set a higher minimum validity period for the signatures over the DNSKEY RRset.

But if you increase the refresh period, then this also affects the signatures from the ZSK.


I my example, you can set the refresh to 15 days, but the you will always create new signatures with the ZSK.

which is not a problem.

It is, if you have a large zone. We do not want to create a complete new set of signatures every second hour.

If we are going to do this for this release, then we should do it correctly from the beginning. And not patch it up for the next release.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100315/98efc772/attachment.htm>


More information about the Opendnssec-develop mailing list