[Opendnssec-develop] PublishSafety and RetireSafety

Siôn Lloyd sion at nominet.org.uk
Wed Jul 6 13:12:01 UTC 2011


> The code in Enforcer uses them this way:
>
> Time between publish and ready:
> deltat = collection->zskttl + collection->propdelay +
> collection->pub_safety; (ZSK)
> deltat = collection->kskttl + collection->kskpropdelay +
> collection->pub_safety; (KSK)
>
> Time between retire to dead:
> deltat = collection->zsksiglife + collection->propdelay +
> collection->ret_safety; (ZSK)
> deltat = collection->dsttl + collection->kskpropdelay +
> collection->ret_safety; (KSK)
>
> So this is option 1 and is almost like adding extra time to the
> PropagationDelay.

Yes. You can think of it like this... The propagation delay is a guess, 
and may be longer than the value given, so this term is included to add 
some extra safety.

You have to look at the original version of the timing draft for a full 
explanation:
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-00

Sion



More information about the Opendnssec-develop mailing list