[Opendnssec-develop] separate validity for signatures over DNSKEY

Jakob Schlyter jakob at kirei.se
Mon Mar 15 11:10:10 UTC 2010


On 15 mar 2010, at 12.03, Rickard Bellgrim wrote:

> 
>> but you would only increase the refresh when you've lost your KSK. I'm not saying this is the final way we want to do this, but this change would help for users that want to be able to recover from a lost KSK. with this change, they only have their normal validity and that's not long enough.
> 
> Isn't already too late if you have lost your KSK? You cannot create a new signature with a higher validity if the KSK is lost.
> 
> If we have the higher validity from the beginning, then you have more time to distribute the new trust anchor. To get this windows, you also have to increase the refresh period.

no, you can have a high validity for the DNSKEY RRSIGs (by KSK) and a low refresh. if you loose your KSK, you can increase the refresh (remember, increasing refresh does not change existing sigs - it will just let them stay put longer).

	jakob




More information about the Opendnssec-develop mailing list