[Opendnssec-user] retire period / signature lifetime

Yuri Schaeffer yuri at nlnetlabs.nl
Thu May 1 20:30:02 UTC 2014

Hash: SHA1

Hi Maurice,

> I noticed that the signature validity  time gets added to the
> retire period for keys. I am wondering why this is ? I have a TTL
> of 1 hour for the keys.  My signature validity  time is 28 days.
> With a TTL of 1H  for the keys I think that normally it would be 
> safe for the old ZSK to stay in the retire state for a few hours
> and then be marked dead.

Well the fact that your keys (i.e. DNSKEY records) will be cached for
1H says nothing about the TTL of the other records. Signatures get the
TTL of the records they are signing. As long as these records are
still cached the key must be (post)published.

> But now it wil be in the retire state for 28 days. I think this is
> strange. Or am I missing something ?

What you are missing is what the signer does. Instead of generating
all new signatures with the new key at once it will only replace the
(soon to be) expired signatures. And keep both the new and old key
published until this transition is done. Which could potentially take
the validity time.

Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/


More information about the Opendnssec-user mailing list