[Opendnssec-user] retire period / signature lifetime

Matthijs Mekking matthijs at nlnetlabs.nl
Fri May 2 07:14:19 UTC 2014

On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
> Hi Maurice,
>> I noticed that the signature validity  time gets added to the
>> retire period for keys. I am wondering why this is ? I have a TTL
>> of 1 hour for the keys.  My signature validity  time is 28 days.
>> With a TTL of 1H  for the keys I think that normally it would be 
>> safe for the old ZSK to stay in the retire state for a few hours
>> and then be marked dead.
> Well the fact that your keys (i.e. DNSKEY records) will be cached for
> 1H says nothing about the TTL of the other records. Signatures get the
> TTL of the records they are signing. As long as these records are
> still cached the key must be (post)published.
>> But now it wil be in the retire state for 28 days. I think this is
>> strange. Or am I missing something ?
> What you are missing is what the signer does. Instead of generating
> all new signatures with the new key at once it will only replace the
> (soon to be) expired signatures. And keep both the new and old key
> published until this transition is done. Which could potentially take
> the validity time.

This is called a smooth rollover.

Your keys will be in the retire state for about 28 days. The signer will
indeed reuse signatures created by the old key, as long as the time it
takes before those sigs are expired is longer than the Refresh period.
So if for example your Refresh period is set to 3 days (which is the
default), the rollover should be about 25 days plus some hours in the
retire state.

If you don't want the smooth rollover behavior, set the Refresh period
to PT0S.

Best regards,

> //Yuri
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list