[Opendnssec-develop] separate validity for signatures over DNSKEY
sion at nominet.org.uk
sion at nominet.org.uk
Tue Mar 16 14:59:11 UTC 2010
> > For the signer engine, it is not that hard to implement separate
> refresh for keys.
> >
> > If we are going to do this, I suggest this change in the kasp
configuration:
> >
> > # the signatures are reused for a period of time
> > # how long time before the expiration of the signature
> > # should it be refreshed?
> > - element Refresh { xsd:duration },
> > + element Refresh {
> > + element Default { xsd:duration },
> > + element Keys { xsd:duration }?
> > + },
> >
> > Imo, it is cleaner than adding an element RefreshKeys. However,
> this is not compatible with the current kasp.rnc
>
> if we need this we should almost as above, but we can actually still
> be backwards compatible if we want to.
Do we have a final decision on this? Is the above going to make it into
subversion?
More information about the Opendnssec-develop
mailing list