[Opendnssec-user] retire period / signature lifetime

Maurice Mahieu maurice at info.nl
Fri May 2 14:45:02 UTC 2014


Ok,

It is al clear now to me.

Thanks a lot

Maurice


On 05/02/2014 04:18 PM, Matthijs Mekking wrote:
> On 05/02/2014 03:49 PM, Maurice Mahieu wrote:
>> Hello Sion,
>>
>> In my case ( with a TTL of 1 hour, a refresh period of 21 days and a
>> signature validity time of 28 days )  after 7 days ( and a bit ) there
>> will be no record signed with the old ZSK anymore. After that moment
>> the old ZSK is useless and can be thrown away I think. So it could be
>> calculated by extracting the refresh from the validity time ( with some
>> extra time fore the time between runs of the enforcer, the TTL  etc. ).
> But the enforcer does not know about the TTLs in the unsigned zone. So
> for safety it takes the signature validity period (thanks Sion for
> reminding me).
>
> For all the enforcer knows is that there are still old signatures in the
> cache with a TTL of 28 days. Unlikely, but better safe than sorry.
>
>> If it would be possible to have an option  to have the signerd resign
>> all records with the new ZSK after the rollover then in my case the
>> retire period could even be much shorter than a week. And there would be
>> no requirement to use a maximum TTL parameter.
> Such an option exist: It is setting the Refresh period to PT0S,
> effectively disabling signature reuse.
>
> Best regards,
>    Matthijs
>
>> This is the way I see it. But maybe I`m overlooking something  as I find
>> all this timing stuff quite complicated.
>>
>> With kind regards,
>>
>> Maurice
>>
>>
>>
>>
>> On 05/02/2014 02:58 PM, Siôn Lloyd wrote:
>>> Hi Maurice.
>>>
>>> We are aware of the overly long ZSK retire period; however the fix
>>> would require a new parameter that describes the maximum TTL within
>>> the signed zone. This has been added to the enforcer 2.0 code but in
>>> the 1.X code we use the signature lifetime as it is a safe value to use.
>>>
>>> Note that new signatures are only being created by one ZSK so the only
>>> penalty is a larger DNSKEY RRset.
>>>
>>> Sion
>>>
>>> On 02/05/14 13:16, Maurice Mahieu wrote:
>>>> Hello Yuri and Matthijs.
>>>>
>>>> I understand now why the behaviour is like this. I have a refresh
>>>> period of 21 days.  The reason that it is this long is that if
>>>> opendnsssec would break down in some way there is absolutely no
>>>> stress to fix it  ( except for dns changes ).  I wonder if there is
>>>> any**disadvantage in having double ZSK`s  for such a long period.
>>>>
>>>>
>>>> With kind regards,
>>>>
>>>> Maurice
>>>>
>>>>
>>>>
>>>>   
>>>>
>>>>
>>>>
>>>>
>>>> On 05/02/2014 09:14 AM, Matthijs Mekking wrote:
>>>>> On 05/01/2014 10:30 PM, Yuri Schaeffer wrote:
>>>>>> Hi Maurice,
>>>>>>
>>>>>>> I noticed that the signature validity  time gets added to the
>>>>>>> retire period for keys. I am wondering why this is ? I have a TTL
>>>>>>> of 1 hour for the keys.  My signature validity  time is 28 days.
>>>>>>> With a TTL of 1H  for the keys I think that normally it would be
>>>>>>> safe for the old ZSK to stay in the retire state for a few hours
>>>>>>> and then be marked dead.
>>>>>> Well the fact that your keys (i.e. DNSKEY records) will be cached for
>>>>>> 1H says nothing about the TTL of the other records. Signatures get the
>>>>>> TTL of the records they are signing. As long as these records are
>>>>>> still cached the key must be (post)published.
>>>>>>
>>>>>>> But now it wil be in the retire state for 28 days. I think this is
>>>>>>> strange. Or am I missing something ?
>>>>>> What you are missing is what the signer does. Instead of generating
>>>>>> all new signatures with the new key at once it will only replace the
>>>>>> (soon to be) expired signatures. And keep both the new and old key
>>>>>> published until this transition is done. Which could potentially take
>>>>>> the validity time.
>>>>> This is called a smooth rollover.
>>>>>
>>>>> Your keys will be in the retire state for about 28 days. The signer will
>>>>> indeed reuse signatures created by the old key, as long as the time it
>>>>> takes before those sigs are expired is longer than the Refresh period.
>>>>> So if for example your Refresh period is set to 3 days (which is the
>>>>> default), the rollover should be about 25 days plus some hours in the
>>>>> retire state.
>>>>>
>>>>> If you don't want the smooth rollover behavior, set the Refresh period
>>>>> to PT0S.
>>>>>
>>>>> Best regards,
>>>>>    Matthijs
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> //Yuri
>>>>>> _______________________________________________
>>>>>> Opendnssec-user mailing list
>>>>>> Opendnssec-user at lists.opendnssec.org
>>>>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>>>>
>>>>> _______________________________________________
>>>>> Opendnssec-user mailing list
>>>>> Opendnssec-user at lists.opendnssec.org
>>>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>>
>>>> -- 
>>>> Maurice Mahieu
>>>> System Engineer  |  maurice at info.nl <mailto:maurice at info.nl>
>>>> info.nl    <http://www.info.nl> /connecting the dots/
>>>> <http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>
>>>>
>>>> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 91
>>>> 11 <tel:+31205309111>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opendnssec-user mailing list
>>>> Opendnssec-user at lists.opendnssec.org
>>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>> -- 
>> Maurice Mahieu
>> System Engineer  |  maurice at info.nl <mailto:maurice at info.nl>
>> info.nl    <http://www.info.nl> /connecting the dots/
>> <http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>
>>
>> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 91 11
>> <tel:+31205309111>
>>
>>
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


-- 
Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/ 
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig> 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 11 
<tel:+31205309111>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140502/e8f89aed/attachment.htm>


More information about the Opendnssec-user mailing list