[Opendnssec-develop] review: Signature recycle etc.
sion at nominet.org.uk
Thu Sep 30 09:03:39 UTC 2010
> > please review http://trac.opendnssec.org/wiki/Signer/Signatures.
> How will this affect the Enforcer? Does it e.g. take recycling into
> account when rolling ZSK?
For ZSKs we move from retire to dead after:
zsksiglife + propdelay + retire safety
and for KSKs it looks like:
kskttl + kskpropdelay + retire safety
If we keep keys in the retire state for an additional "expiration minus
Refresh" then we are covered. (Maybe just expiration to be on the safe side?)
Does this change need to be made to trunk?
More information about the Opendnssec-develop