[Opendnssec-develop] PublishSafety and RetireSafety

Rickard Bellgrim rickard at opendnssec.org
Wed Jul 6 13:01:23 UTC 2011

> I'm unsure how PublishSafety and RetireSafety should be used. The Wiki
> says the following, but it confuses me.
> """<PublishSafety> and <RetireSafety> are the publish and retire safety
> margins for the keys. These intervals are safety margins added to
> calculated timing values to ensure that keys are published and retired
> without there being a chance of signatures created with the keys being
> considered invalid."""
> I attached two possibilities. Drawn in the well-known state diagram with
> Hidden/Rumoured/Omnipresent/Unretentive.
> 1) We wait extra long after  introducing/outroducing a resource record
> 2) We wait extra long before introducing/outroducing a resource record
> T = TTL
> D = PropagationDelay
> P = PublishSafety
> R = RetireSafety
> There might be a third option?
> I should think it is option 2 since in option 1 it does the same as
> PropagationDelay.

The code in Enforcer uses them this way:

Time between publish and ready:
deltat = collection->zskttl + collection->propdelay +
collection->pub_safety; (ZSK)
deltat = collection->kskttl + collection->kskpropdelay +
collection->pub_safety; (KSK)

Time between retire to dead:
deltat = collection->zsksiglife + collection->propdelay +
collection->ret_safety; (ZSK)
deltat = collection->dsttl + collection->kskpropdelay +
collection->ret_safety; (KSK)

So this is option 1 and is almost like adding extra time to the

The thing that the safety margins want to protect you from is to enter
the omnipresent and the hidden state too early. Not that we enter the
rumoured or unretentive too early (nothing bad can happen to use in
this state).

Question: Do you need time between rumoured and unretentive?

// Rickard

More information about the Opendnssec-develop mailing list