[Opendnssec-develop] review: Signature recycle etc.
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Sep 30 13:19:11 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/30/2010 11:03 AM, Sion Lloyd wrote:
>>
>>> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
>>
>> How will this affect the Enforcer? Does it e.g. take recycling into
>> account when rolling ZSK?
>
> For ZSKs we move from retire to dead after:
> zsksiglife + propdelay + retire safety
retire safety should cover the time to resign the zone. From the
key-timing draft, Iret = Dsgn + Dprp + TTLSIG.
The time to resign covers refresh:
Dsgn = max(expiration) - refresh
But then the enforcer needs to check zone content for the expiration
timings. That doesn't feel right. Perhaps you can derive it from the policy:
Dsgn = (validity + offset + jitter) - refresh ?
Best regards,
Matthijs
>
> and for KSKs it looks like:
> kskttl + kskpropdelay + retire safety
>
>
> If we keep keys in the retire state for an additional "expiration minus
> Refresh" then we are covered. (Maybe just expiration to be on the safe side?)
>
> Does this change need to be made to trunk?
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMpI5OAAoJEA8yVCPsQCW5Lg8IAKuZJMaUXOoefSjVie+gTWci
/3swxRRLgCrLmgD9q2o3I6VAAEgREqPA3Ox5vAhVxnPEX2wU0GSrjXMS+0rG8hCa
JR5c3yY0Lcr3Q74ZJIJZpbemEQW7KsMaNWVvSLS4tDcLnNZK7zeU0xfUgyJTYzGX
m4u82mhzw82SmHRv0hlET2C5yNGF0M7Pp+jVmrqA0+YOqfKYHpA+37BTpusC+3gK
+msPym6ElpaO5GPoWDCJQZLoz03UX0JemD2cpYpOgtbOaqoZ7X/XdWBb8J9Ot6gy
/SmqCVFeqFbYcY6M4UVhJQCEK00tSys/BI/VNnwi/i17ZHqBf9btvmhTbjb4/kA=
=9gvs
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list