[Opendnssec-develop] separate validity for signatures over DNSKEY

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Mar 15 12:58:31 UTC 2010

For the signer engine, it is not that hard to implement separate refresh 
for keys.

If we are going to do this, I suggest this change in the kasp configuration:

  	# the signatures are reused for a period of time
  	# how long time before the expiration of the signature
	# should it be refreshed?
-	element Refresh { xsd:duration },
+	element Refresh {
+		element Default { xsd:duration },
+		element Keys { xsd:duration }?
+	},

Imo, it is cleaner than adding an element RefreshKeys. However, this is 
not compatible with the current kasp.rnc


Rickard Bellgrim wrote:
>>> Isn't already too late if you have lost your KSK? You cannot create a new signature with a higher validity if the KSK is lost.
>>> If we have the higher validity from the beginning, then you have more time to distribute the new trust anchor. To get this windows, you also have to increase the refresh period.
>> no, you can have a high validity for the DNSKEY RRSIGs (by KSK) and a low refresh. if you loose your KSK, you can increase the refresh (remember, increasing refresh does not change existing sigs - it will just let them stay put longer).
> I wouldn't rely on the best case (validity period). I would rely on the worst case (refresh period).
> Lets say that you have 30 days validity and 4 days refresh. It is now 5 days until the signature expires and you loose your KSK. Raising the refresh period will not save you. It is still 5 days until the signature expires, the expire timestamp is already in the signature.
> You signatures are valid between 30 and 4 days into the future with this refresh period. You will reuse your signature up to that day. And if you loose your KSK just before we decide to refresh, than you cannot fix it with a higher refresh period.
> My conclusion: We must also have separate refresh period, so that you do not need to recreate the signatures from the ZSK all the time. Thus having the possibility to always have a high refresh period for the DNSKEY signatures.
> // Rickard _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

More information about the Opendnssec-develop mailing list