[Opendnssec-develop] review: Signature recycle etc.

Sion Lloyd sion at nominet.org.uk
Thu Sep 30 09:03:39 UTC 2010


> 
> > please review http://trac.opendnssec.org/wiki/Signer/Signatures.
> 
> How will this affect the Enforcer? Does it e.g. take recycling into
> account when rolling ZSK?

For ZSKs we move from retire to dead after:
zsksiglife + propdelay + retire safety

and for KSKs it looks like:
kskttl + kskpropdelay + retire safety


If we keep keys in the retire state for an additional "expiration minus 
Refresh" then we are covered. (Maybe just expiration to be on the safe side?)

Does this change need to be made to trunk?



More information about the Opendnssec-develop mailing list