[Opendnssec-develop] ZSK rollovers

Stephen Morris sa.morris7 at googlemail.com
Wed May 5 12:24:00 UTC 2010


On 05/05/2010 09:46, Sion Lloyd wrote:

> We had a discussion on the phone conference about ZSK rollovers and why
> the signatures are all recreated...
>
> Rickard has just pointed out to me that the timing draft includes a term
> Dsgn in the ZSK retire time.
>
> What this does is add in the time that a signature can be expected to
> hang around in a zone for. I think that this is:
>
> (validity - refresh) + resign
>
> (I.e. assume the signature is created just before a key expires, then
> add up the length of time that the signature will be left alone plus the
> resign interval which is just the granularity of the system.)
>
> So if I add this to the length of time that the key is published in the
> zone after it retires we can have the gradual switch between keys which
> will look like:
>
> Sign with the old key until it retires, then use the _new_ key to
> replace signatures as they reach the end of their lives. The old key
> will be published for longer, until all signatures generated with it
> have been replaced.
>
> This way we do not need to communicate any more information to the signer.
>
> Does this work?
>
> Sion

That's the way I envisage it working.

AIUI, at the moment the signer is told what keys to publish in the zone 
and, of those keys, what key is the active one.  No change is needed to 
that for this scheme to work.

Stephen



More information about the Opendnssec-develop mailing list