[Opendnssec-user] retire period / signature lifetime

Maurice Mahieu maurice at info.nl
Fri May 2 12:16:12 UTC 2014

Hello Yuri and Matthijs.

I understand now why the behaviour is like this. I have a refresh period 
of 21 days.  The reason that it is this long is that if opendnsssec 
would break down in some way there is absolutely no stress to fix it  ( 
except for dns changes ).  I wonder if there is any**disadvantage in 
having double ZSK`s  for such a long period.

With kind regards,


On 05/02/2014 09:14 AM, Matthijs Mekking wrote:
> On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
>> Hi Maurice,
>>> I noticed that the signature validity  time gets added to the
>>> retire period for keys. I am wondering why this is ? I have a TTL
>>> of 1 hour for the keys.  My signature validity  time is 28 days.
>>> With a TTL of 1H  for the keys I think that normally it would be
>>> safe for the old ZSK to stay in the retire state for a few hours
>>> and then be marked dead.
>> Well the fact that your keys (i.e. DNSKEY records) will be cached for
>> 1H says nothing about the TTL of the other records. Signatures get the
>> TTL of the records they are signing. As long as these records are
>> still cached the key must be (post)published.
>>> But now it wil be in the retire state for 28 days. I think this is
>>> strange. Or am I missing something ?
>> What you are missing is what the signer does. Instead of generating
>> all new signatures with the new key at once it will only replace the
>> (soon to be) expired signatures. And keep both the new and old key
>> published until this transition is done. Which could potentially take
>> the validity time.
> This is called a smooth rollover.
> Your keys will be in the retire state for about 28 days. The signer will
> indeed reuse signatures created by the old key, as long as the time it
> takes before those sigs are expired is longer than the Refresh period.
> So if for example your Refresh period is set to 3 days (which is the
> default), the rollover should be about 25 days plus some hours in the
> retire state.
> If you don't want the smooth rollover behavior, set the Refresh period
> to PT0S.
> Best regards,
>    Matthijs
>> //Yuri
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/ 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 11 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140502/71a5a645/attachment.htm>

More information about the Opendnssec-user mailing list