[Opendnssec-develop] Signer Enforcer Communication

Yuri Schaeffer yuri at NLnetLabs.nl
Mon Dec 5 12:01:09 UTC 2011

While Matthijs is enjoying the sun, could you help verify I'm correct?

In order to support smooth rollovers the enforcer must wait TTL + some
additional_time when transition a RRSIG state from rumoured to
omnipresent. (Signatures only get replaced when they expire).

What is "additional_time"? I think:

additional_time = Signatures->Validity->default + Signatures->Jitter

As the enforcer I do not know the actual jitter value, so I must wait
worst case time (I wait max 2*jitter to long).

I believe I can ignore the refresh and resign intervals.


Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list