[Opendnssec-develop] PublishSafety and RetireSafety
Siôn Lloyd
sion at nominet.org.uk
Wed Jul 6 13:12:01 UTC 2011
> The code in Enforcer uses them this way:
>
> Time between publish and ready:
> deltat = collection->zskttl + collection->propdelay +
> collection->pub_safety; (ZSK)
> deltat = collection->kskttl + collection->kskpropdelay +
> collection->pub_safety; (KSK)
>
> Time between retire to dead:
> deltat = collection->zsksiglife + collection->propdelay +
> collection->ret_safety; (ZSK)
> deltat = collection->dsttl + collection->kskpropdelay +
> collection->ret_safety; (KSK)
>
> So this is option 1 and is almost like adding extra time to the
> PropagationDelay.
Yes. You can think of it like this... The propagation delay is a guess,
and may be longer than the value given, so this term is included to add
some extra safety.
You have to look at the original version of the timing draft for a full
explanation:
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-00
Sion
More information about the Opendnssec-develop
mailing list