[Opendnssec-user] How to calc new ZSK / KSK and pre-publish date

Sion Lloyd sion at nominet.org.uk
Wed May 14 12:57:28 UTC 2014 

To paraphrase the key timings draft:

     * A key in the "publish" state moves into the "ready" state when it has
     * been published for at least:
     *
     *      Ipc = TTLkeyc + Dpc +Sp
     *
     * ... where:
     *
     *      TTLkeyc  = TTL of the ZSK DNSKEY record
     *      Dpc      = Propagation delay
     *      Sp       = Publish Safety Margin
     *

OpenDNSSEC will attempt to publish a key at least this far ahead of the previous ZSK's retire time. It is slightly complicated by the run interval of the enforcer, so might be a bit earlier.

Generation may be as required (i.e. it will be generated and published at the same time) or you may generate a whole batch of keys ahead of schedule.

Sion

________________________________
From: opendnssec-user-bounces at lists.opendnssec.org [opendnssec-user-bounces at lists.opendnssec.org] on behalf of Javier Jiménez Huedo [bodegax at gmail.com]
Sent: 13 May 2014 13:18
To: opendnssec-user at lists.opendnssec.org
Subject: [Opendnssec-user] How to calc new ZSK / KSK and pre-publish date

Dear OpenDNSSEC users,

I am confused about the following behavior of openDNSSEC:

I have the following ZSK active key:

Key type     State:   Next transition:
 ZSK           active    2014-05-19 16:02:20 (retire)

KSK Lifetime P20D
ZSK LifeTime P10D


How I can calculate the date of generation of the next ZSK key?
How I can calculate the date of pre-publication next ZSK key?

Kasp.xml:

<Signatures>
               <Resign>PT5H</Resign>
               <Refresh>P2D</Refresh>
               <Validity>
                               <Default>P5D</Default>
                               <Denial>P5D</Denial>
               </Validity>
               <InceptionOffset>PT3600S</InceptionOffset>
...
<Signatures>


<keys>
                <TTL>PT3600S</TTL>
                <PublishSafety>PT1H</PublishSafety>
...
</keys>
<Zone>
                        <PropagationDelay>PT30S</PropagationDelay>
...
</zone>
<parent>
               <PropagationDelay>PT5H</PropagationDelay>
               <DS><TTL>P1D</TTL></DS>
               <SOA><TTL>P1D</TTL> <Minimum>P1D</Minimum></SOA>
</parent>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140514/84988093/attachment.htm>

More information about the Opendnssec-user mailing list