[Opendnssec-develop] separate validity for signatures over DNSKEY

sion at nominet.org.uk sion at nominet.org.uk
Tue Mar 16 15:25:33 UTC 2010


> >> For the signer engine, it is not that hard to implement separate
> refresh for keys.
> >>
> >> If we are going to do this, I suggest this change in the kasp
> configuration:
> >>
> >>    # the signatures are reused for a period of time
> >>    # how long time before the expiration of the signature
> >>    # should it be refreshed?
> >> -   element Refresh { xsd:duration },
> >> +   element Refresh {
> >> +      element Default { xsd:duration },
> >> +      element Keys { xsd:duration }?
> >> +   },
> >>
> >> Imo, it is cleaner than adding an element RefreshKeys. However,
> this is not compatible with the current kasp.rnc
> >
> > if we need this we should almost as above, but we can actually
> still be backwards compatible if we want to.
> >
> >    jakob
> >
>
> I think that the suggestion from Matthijs is good from an user
> perspective. Since it is one group, just like the validity.  But it
> is as you say not compatible with the previous KASP.
>
> I think that usability wins over the compatibility.

Anything that is passed through the enforcer to the signer needs to be
stored in the database. So there will be compatibility issues there too.

I also think that usability wins, a lot of the issues we see already are
due to misunderstandings of how things work.

Sion




More information about the Opendnssec-develop mailing list