[Opendnssec-develop] Signer Enforcer Communication

[Matthijs Mekking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Yuri,

Because the enforcer cannot look into the signed zone, it can only be
sure some additional time before all new RRSIGs are introduced. From the
moment that the signer has a new signer configuration (t0), the enforcer
has to wait until all signatures have been replaced (dx).

The moment that a signature is replaced is the at the resign interval
where the signature is not fresh anymore for the first time:

	(validity + jitter) + resign - refresh

Note that jitter in the worst case is 1*jitter, because the jitter range
is from [-j ... j].

Note that the maximum validity is

	max(Signatures->Validity->Default, Signatures->Validity->Denial)

Hope this clarification helps.

Best regards,
  Matthijs

On 12/05/2011 01:01 PM, Yuri Schaeffer wrote:
> While Matthijs is enjoying the sun, could you help verify I'm correct?
> 
> In order to support smooth rollovers the enforcer must wait TTL + some
> additional_time when transition a RRSIG state from rumoured to
> omnipresent. (Signatures only get replaced when they expire).
> 
> What is "additional_time"? I think:
> 
> additional_time = Signatures->Validity->default + Signatures->Jitter
> 
> As the enforcer I do not know the actual jitter value, so I must wait
> worst case time (I wait max 2*jitter to long).
> 
> I believe I can ignore the refresh and resign intervals.
> 
> //yuri
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO8wrWAAoJEA8yVCPsQCW5NN0H/0hQ8p9k8mcH0rW2fTdsUNPm
YZ3FnKNHy4+yho8mPLLQdomoV+D8SXamn9MY4K+H7SxRaStfqACRnUEMHAUPYpjr
3uc98jlezP7JoMx7CqcOu9FurlitJt5z+hUk6273uN7H19LJfap9MurFrM4o2gdP
xDklSvmTHbpTy+GNAeqAXW/fRZnw7B1mlrWOfGVYd6591FSQ4WybE+PyppJHm5Yi
HYQLQCkkq9XZrQkUR9GJEJ59HubScgGrR6jS1DtQv8ybgJ/DU7/oAUIH9CQws9x/
F9BPdIkus6kuo2O9N9VTg28FsxOZcA3PiVrCap/tp7N3y/QKOROvKJ9iIxkqZ/w=
=J0gs
-----END PGP SIGNATURE-----