[Opendnssec-develop] separate validity for signatures over DNSKEY
rickard.bellgrim at iis.se
Mon Mar 15 11:03:17 UTC 2010
> but you would only increase the refresh when you've lost your KSK. I'm not saying this is the final way we want to do this, but this change would help for users that want to be able to recover from a lost KSK. with this change, they only have their normal validity and that's not long enough.
Isn't already too late if you have lost your KSK? You cannot create a new signature with a higher validity if the KSK is lost.
If we have the higher validity from the beginning, then you have more time to distribute the new trust anchor. To get this windows, you also have to increase the refresh period.
More information about the Opendnssec-develop