[Opendnssec-develop] separate validity for signatures over DNSKEY

sion at nominet.org.uk sion at nominet.org.uk
Tue Mar 16 14:59:11 UTC 2010


> > For the signer engine, it is not that hard to implement separate
> refresh for keys.
> >
> > If we are going to do this, I suggest this change in the kasp
configuration:
> >
> >    # the signatures are reused for a period of time
> >    # how long time before the expiration of the signature
> >    # should it be refreshed?
> > -   element Refresh { xsd:duration },
> > +   element Refresh {
> > +      element Default { xsd:duration },
> > +      element Keys { xsd:duration }?
> > +   },
> >
> > Imo, it is cleaner than adding an element RefreshKeys. However,
> this is not compatible with the current kasp.rnc
>
> if we need this we should almost as above, but we can actually still
> be backwards compatible if we want to.

Do we have a final decision on this? Is the above going to make it into
subversion?




More information about the Opendnssec-develop mailing list