[Opendnssec-develop] Signer Enforcer Communication
Matthijs Mekking
matthijs at NLnetLabs.nl
Thu Dec 22 10:47:50 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Yuri,
Because the enforcer cannot look into the signed zone, it can only be
sure some additional time before all new RRSIGs are introduced. From the
moment that the signer has a new signer configuration (t0), the enforcer
has to wait until all signatures have been replaced (dx).
The moment that a signature is replaced is the at the resign interval
where the signature is not fresh anymore for the first time:
(validity + jitter) + resign - refresh
Note that jitter in the worst case is 1*jitter, because the jitter range
is from [-j ... j].
Note that the maximum validity is
max(Signatures->Validity->Default, Signatures->Validity->Denial)
Hope this clarification helps.
Best regards,
Matthijs
On 12/05/2011 01:01 PM, Yuri Schaeffer wrote:
> While Matthijs is enjoying the sun, could you help verify I'm correct?
>
> In order to support smooth rollovers the enforcer must wait TTL + some
> additional_time when transition a RRSIG state from rumoured to
> omnipresent. (Signatures only get replaced when they expire).
>
> What is "additional_time"? I think:
>
> additional_time = Signatures->Validity->default + Signatures->Jitter
>
> As the enforcer I do not know the actual jitter value, so I must wait
> worst case time (I wait max 2*jitter to long).
>
> I believe I can ignore the refresh and resign intervals.
>
> //yuri
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJO8wrWAAoJEA8yVCPsQCW5NN0H/0hQ8p9k8mcH0rW2fTdsUNPm
YZ3FnKNHy4+yho8mPLLQdomoV+D8SXamn9MY4K+H7SxRaStfqACRnUEMHAUPYpjr
3uc98jlezP7JoMx7CqcOu9FurlitJt5z+hUk6273uN7H19LJfap9MurFrM4o2gdP
xDklSvmTHbpTy+GNAeqAXW/fRZnw7B1mlrWOfGVYd6591FSQ4WybE+PyppJHm5Yi
HYQLQCkkq9XZrQkUR9GJEJ59HubScgGrR6jS1DtQv8ybgJ/DU7/oAUIH9CQws9x/
F9BPdIkus6kuo2O9N9VTg28FsxOZcA3PiVrCap/tp7N3y/QKOROvKJ9iIxkqZ/w=
=J0gs
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list