[Opendnssec-user] PublishSafety default value

Antti Ristimäki antti.ristimaki at csc.fi
Wed Jan 9 13:10:08 UTC 2013


I've been wondering whether the default value (3600s) for key
PublishSafety margin is too short. As OpenDNSSEC is usually used as a
bump-in-the-wire signer, it has no visibility to what is actually
published in DNS. When OpenDNSSEC decides to roll a key it calculates
the intended pre-publication period by DNSKEY TTLs, the PublishSafety
and other margins, right? When the pre-publication period has passed,
ODS thinks that the new key has reached the caches and can be used for
signing, but this might not be the case if for example the authoritative
server(s) have been unavailable at the time when ODS published the new key.

I'm not 100% sure but IIRC there have been validation failures that have
been caused by the signer (not necessarily ODS) calculating too
optimistic pre-publication intervals without visibility to what is
actually available in public DNS.

Any thoughts?


More information about the Opendnssec-user mailing list