[Opendnssec-develop] separate validity for signatures over DNSKEY
Jakob Schlyter
jakob at kirei.se
Mon Mar 15 10:55:22 UTC 2010
On 15 mar 2010, at 11.48, Rickard Bellgrim wrote:
>>
>> the idea is if you put the KSK and the ZSK is separate repositories, you could handle a KSK loss easier if you have a longer signature validity by the KSK. in case of a KSK loss, you would increase the refresh and survive a bit longer. at least in theory.
>
> Yes, so you do want to have the possibility to set a higher minimum validity period for the signatures over the DNSKEY RRset.
>
> But if you increase the refresh period, then this also affects the signatures from the ZSK.
but you would only increase the refresh when you've lost your KSK. I'm not saying this is the final way we want to do this, but this change would help for users that want to be able to recover from a lost KSK. with this change, they only have their normal validity and that's not long enough.
jakob
More information about the Opendnssec-develop
mailing list