[Opendnssec-develop] review: Signature recycle etc.

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Sep 30 13:19:11 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 09/30/2010 11:03 AM, Sion Lloyd wrote:
>>
>>> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
>>
>> How will this affect the Enforcer? Does it e.g. take recycling into
>> account when rolling ZSK?
> 
> For ZSKs we move from retire to dead after:
> zsksiglife + propdelay + retire safety

retire safety should cover the time to resign the zone. From the
key-timing draft, Iret = Dsgn + Dprp + TTLSIG.

The time to resign covers refresh:

Dsgn = max(expiration) - refresh

But then the enforcer needs to check zone content for the expiration
timings. That doesn't feel right. Perhaps you can derive it from the policy:

Dsgn = (validity + offset + jitter) - refresh ?


Best regards,

Matthijs


> 
> and for KSKs it looks like:
> kskttl + kskpropdelay + retire safety
> 
> 
> If we keep keys in the retire state for an additional "expiration minus 
> Refresh" then we are covered. (Maybe just expiration to be on the safe side?)
> 
> Does this change need to be made to trunk?
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMpI5OAAoJEA8yVCPsQCW5Lg8IAKuZJMaUXOoefSjVie+gTWci
/3swxRRLgCrLmgD9q2o3I6VAAEgREqPA3Ox5vAhVxnPEX2wU0GSrjXMS+0rG8hCa
JR5c3yY0Lcr3Q74ZJIJZpbemEQW7KsMaNWVvSLS4tDcLnNZK7zeU0xfUgyJTYzGX
m4u82mhzw82SmHRv0hlET2C5yNGF0M7Pp+jVmrqA0+YOqfKYHpA+37BTpusC+3gK
+msPym6ElpaO5GPoWDCJQZLoz03UX0JemD2cpYpOgtbOaqoZ7X/XdWBb8J9Ot6gy
/SmqCVFeqFbYcY6M4UVhJQCEK00tSys/BI/VNnwi/i17ZHqBf9btvmhTbjb4/kA=
=9gvs
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list