[Opendnssec-develop] PublishSafety and RetireSafety

Yuri Schaeffer yuri at NLnetLabs.nl
Wed Jul 6 12:40:56 UTC 2011


I'm unsure how PublishSafety and RetireSafety should be used. The Wiki
says the following, but it confuses me.

"""<PublishSafety> and <RetireSafety> are the publish and retire safety
margins for the keys. These intervals are safety margins added to
calculated timing values to ensure that keys are published and retired
without there being a chance of signatures created with the keys being
considered invalid."""

I attached two possibilities. Drawn in the well-known state diagram with

1) We wait extra long after  introducing/outroducing a resource record
2) We wait extra long before introducing/outroducing a resource record

D = PropagationDelay
P = PublishSafety
R = RetireSafety

There might be a third option?

I should think it is option 2 since in option 1 it does the same as


Yuri Schaeffer
NLnet Labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20110706_002.jpg
Type: image/jpeg
Size: 27869 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110706/6bcc1c61/attachment.jpg>

More information about the Opendnssec-develop mailing list