[Opendnssec-user] retire period / signature lifetime
Yuri Schaeffer
yuri at nlnetlabs.nl
Thu May 1 20:30:02 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Maurice,
> I noticed that the signature validity time gets added to the
> retire period for keys. I am wondering why this is ? I have a TTL
> of 1 hour for the keys. My signature validity time is 28 days.
> With a TTL of 1H for the keys I think that normally it would be
> safe for the old ZSK to stay in the retire state for a few hours
> and then be marked dead.
Well the fact that your keys (i.e. DNSKEY records) will be cached for
1H says nothing about the TTL of the other records. Signatures get the
TTL of the records they are signing. As long as these records are
still cached the key must be (post)published.
> But now it wil be in the retire state for 28 days. I think this is
> strange. Or am I missing something ?
What you are missing is what the signer does. Instead of generating
all new signatures with the new key at once it will only replace the
(soon to be) expired signatures. And keep both the new and old key
published until this transition is done. Which could potentially take
the validity time.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iEYEARECAAYFAlNirsoACgkQI3PTR4mhavj/SQCguA0vn8zLoNBPcT6rTTEyMN0+
0FUAnR0SSVKLBxI0b2GuSdTEpEU04qda
=SiqG
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list