[Opendnssec-develop] separate validity for signatures over DNSKEY
Jakob Schlyter
jakob at kirei.se
Mon Mar 15 21:38:32 UTC 2010
On 15 mar 2010, at 13.58, Matthijs Mekking wrote:
> For the signer engine, it is not that hard to implement separate refresh for keys.
>
> If we are going to do this, I suggest this change in the kasp configuration:
>
> # the signatures are reused for a period of time
> # how long time before the expiration of the signature
> # should it be refreshed?
> - element Refresh { xsd:duration },
> + element Refresh {
> + element Default { xsd:duration },
> + element Keys { xsd:duration }?
> + },
>
> Imo, it is cleaner than adding an element RefreshKeys. However, this is not compatible with the current kasp.rnc
if we need this we should almost as above, but we can actually still be backwards compatible if we want to.
jakob
More information about the Opendnssec-develop
mailing list