[Opendnssec-user] retire period / signature lifetime
maurice at info.nl
Fri May 2 12:16:12 UTC 2014
Hello Yuri and Matthijs.
I understand now why the behaviour is like this. I have a refresh period
of 21 days. The reason that it is this long is that if opendnsssec
would break down in some way there is absolutely no stress to fix it (
except for dns changes ). I wonder if there is any**disadvantage in
having double ZSK`s for such a long period.
With kind regards,
On 05/02/2014 09:14 AM, Matthijs Mekking wrote:
> On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
>> Hi Maurice,
>>> I noticed that the signature validity time gets added to the
>>> retire period for keys. I am wondering why this is ? I have a TTL
>>> of 1 hour for the keys. My signature validity time is 28 days.
>>> With a TTL of 1H for the keys I think that normally it would be
>>> safe for the old ZSK to stay in the retire state for a few hours
>>> and then be marked dead.
>> Well the fact that your keys (i.e. DNSKEY records) will be cached for
>> 1H says nothing about the TTL of the other records. Signatures get the
>> TTL of the records they are signing. As long as these records are
>> still cached the key must be (post)published.
>>> But now it wil be in the retire state for 28 days. I think this is
>>> strange. Or am I missing something ?
>> What you are missing is what the signer does. Instead of generating
>> all new signatures with the new key at once it will only replace the
>> (soon to be) expired signatures. And keep both the new and old key
>> published until this transition is done. Which could potentially take
>> the validity time.
> This is called a smooth rollover.
> Your keys will be in the retire state for about 28 days. The signer will
> indeed reuse signatures created by the old key, as long as the time it
> takes before those sigs are expired is longer than the Refresh period.
> So if for example your Refresh period is set to 3 days (which is the
> default), the rollover should be about 25 days plus some hours in the
> retire state.
> If you don't want the smooth rollover behavior, set the Refresh period
> to PT0S.
> Best regards,
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
System Engineer | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 11
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user