[Opendnssec-develop] ZSK rollovers

Sion Lloyd sion at nominet.org.uk
Wed May 5 08:46:56 UTC 2010

We had a discussion on the phone conference about ZSK rollovers and why the signatures are all recreated...

Rickard has just pointed out to me that the timing draft includes a term Dsgn in the ZSK retire time.

What this does is add in the time that a signature can be expected to hang around in a zone for. I think that this is:

(validity - refresh) + resign

(I.e. assume the signature is created just before a key expires, then add up the length of time that the signature will be left alone plus the resign interval which is just the granularity of the system.)

So if I add this to the length of time that the key is published in the zone after it retires we can have the gradual switch between keys which will look like:

Sign with the old key until it retires, then use the _new_ key to replace signatures as they reach the end of their lives. The old key will be published for longer, until all signatures generated with it have been replaced.

This way we do not need to communicate any more information to the signer.

Does this work?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100505/6756192f/attachment.htm>

More information about the Opendnssec-develop mailing list