[Opendnssec-user] Different Default signature validity versus Denial signature validity

Rickard Bellgrim rickard at opendnssec.org
Wed Apr 18 07:14:00 UTC 2012

> Reading RFC 4641bis version 11, section mentions why it's a good
> idea to have different lifetimes, but it's not very strong about it. Is
> still a good idea to have a different policy? I understand that policy
> decisions are local and different lifetimes can be avoided by using the
> same lifetime value for both cases, but I'm trying to understand rather
> than fixing.

Another example: If you are a TLD and running NSEC, then most of your
signatures probably are over the NSEC. If you want to lower the
changes in the zone, then you could differentiate the signature

This feature is probably not used so much. It was part of the initial
requirements of OpenDNSSEC, but it was never used by the one
requesting it. When integrating two different solutions, then we have
to limit ourselves to a common set of features. Thus you have to make
sure to use the same lifetime values.

// Rickard

More information about the Opendnssec-user mailing list