[Opendnssec-develop] separate validity for signatures over DNSKEY

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Mar 15 12:04:17 UTC 2010

>> Isn't already too late if you have lost your KSK? You cannot create a new signature with a higher validity if the KSK is lost.
>> If we have the higher validity from the beginning, then you have more time to distribute the new trust anchor. To get this windows, you also have to increase the refresh period.
> no, you can have a high validity for the DNSKEY RRSIGs (by KSK) and a low refresh. if you loose your KSK, you can increase the refresh (remember, increasing refresh does not change existing sigs - it will just let them stay put longer).

I wouldn't rely on the best case (validity period). I would rely on the worst case (refresh period).

Lets say that you have 30 days validity and 4 days refresh. It is now 5 days until the signature expires and you loose your KSK. Raising the refresh period will not save you. It is still 5 days until the signature expires, the expire timestamp is already in the signature.

You signatures are valid between 30 and 4 days into the future with this refresh period. You will reuse your signature up to that day. And if you loose your KSK just before we decide to refresh, than you cannot fix it with a higher refresh period.

My conclusion: We must also have separate refresh period, so that you do not need to recreate the signatures from the ZSK all the time. Thus having the possibility to always have a high refresh period for the DNSKEY signatures.

// Rickard 

More information about the Opendnssec-develop mailing list