[Opendnssec-user] retire period / signature lifetime

Maurice Mahieu maurice at info.nl
Fri May 2 13:49:49 UTC 2014 

Hello Sion,

In my case ( with a TTL of 1 hour, a refresh period of 21 days and a 
signature validity time of 28 days )  after 7 days ( and a bit ) there 
will be no record signed with the old ZSK anymore. After that moment  
the old ZSK is useless and can be thrown away I think. So it could be 
calculated by extracting the refresh from the validity time ( with some 
extra time fore the time between runs of the enforcer, the TTL  etc. ). 
If it would be possible to have an option  to have the signerd resign 
all records with the new ZSK after the rollover then in my case the 
retire period could even be much shorter than a week. And there would be 
no requirement to use a maximum TTL parameter.

This is the way I see it. But maybe I`m overlooking something  as I find 
all this timing stuff quite complicated.

With kind regards,

Maurice




On 05/02/2014 02:58 PM, Siôn Lloyd wrote:
> Hi Maurice.
>
> We are aware of the overly long ZSK retire period; however the fix 
> would require a new parameter that describes the maximum TTL within 
> the signed zone. This has been added to the enforcer 2.0 code but in 
> the 1.X code we use the signature lifetime as it is a safe value to use.
>
> Note that new signatures are only being created by one ZSK so the only 
> penalty is a larger DNSKEY RRset.
>
> Sion
>
> On 02/05/14 13:16, Maurice Mahieu wrote:
>> Hello Yuri and Matthijs.
>>
>> I understand now why the behaviour is like this. I have a refresh 
>> period of 21 days.  The reason that it is this long is that if 
>> opendnsssec would break down in some way there is absolutely no 
>> stress to fix it  ( except for dns changes ).  I wonder if there is 
>> any**disadvantage in having double ZSK`s  for such a long period.
>>
>>
>> With kind regards,
>>
>> Maurice
>>
>>
>>
>>
>>
>>
>>
>>
>> On 05/02/2014 09:14 AM, Matthijs Mekking wrote:
>>> On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
>>>> Hi Maurice,
>>>>
>>>>> I noticed that the signature validity  time gets added to the
>>>>> retire period for keys. I am wondering why this is ? I have a TTL
>>>>> of 1 hour for the keys.  My signature validity  time is 28 days.
>>>>> With a TTL of 1H  for the keys I think that normally it would be
>>>>> safe for the old ZSK to stay in the retire state for a few hours
>>>>> and then be marked dead.
>>>> Well the fact that your keys (i.e. DNSKEY records) will be cached for
>>>> 1H says nothing about the TTL of the other records. Signatures get the
>>>> TTL of the records they are signing. As long as these records are
>>>> still cached the key must be (post)published.
>>>>
>>>>> But now it wil be in the retire state for 28 days. I think this is
>>>>> strange. Or am I missing something ?
>>>> What you are missing is what the signer does. Instead of generating
>>>> all new signatures with the new key at once it will only replace the
>>>> (soon to be) expired signatures. And keep both the new and old key
>>>> published until this transition is done. Which could potentially take
>>>> the validity time.
>>> This is called a smooth rollover.
>>>
>>> Your keys will be in the retire state for about 28 days. The signer will
>>> indeed reuse signatures created by the old key, as long as the time it
>>> takes before those sigs are expired is longer than the Refresh period.
>>> So if for example your Refresh period is set to 3 days (which is the
>>> default), the rollover should be about 25 days plus some hours in the
>>> retire state.
>>>
>>> If you don't want the smooth rollover behavior, set the Refresh period
>>> to PT0S.
>>>
>>> Best regards,
>>>    Matthijs
>>>
>>>
>>>
>>>
>>>
>>>> //Yuri
>>>> _______________________________________________
>>>> Opendnssec-user mailing list
>>>> Opendnssec-user at lists.opendnssec.org
>>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>>
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>>
>> -- 
>> Maurice Mahieu
>> System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
>> info.nl <http://www.info.nl> /connecting the dots/ 
>> <http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig> 
>>
>> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 
>> 11 <tel:+31205309111>
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>


-- 
Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/ 
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig> 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 11 
<tel:+31205309111>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140502/8d5e65fc/attachment.htm>

More information about the Opendnssec-user mailing list