[Opendnssec-user] kasp.xml Validity tag

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Apr 19 13:59:40 CEST 2017

Hi Gilles,

> Recently, some zones were not secured anymore because of the Validity
> Period. The reason was that the signature expiration field of the RRSIG
> RR was too old.
> For this time, I solved this problem by updating my zone. But I don't
> want to update all of my zones to avoid this.

I'm not sure if I understand your problem correctly. OpenDNSSEC is
specifically designed to do this. So as long as it is running
(specifically the signer in this case) it should take care or renewing

If you don't want to change your zones after signing and don't want to
have OpenDNSSEC running you can just set the signature validity to a
period ending after your retirement and hope someone else will be there
to deal with it by that time. Is this what you are asking?

> Is there any rule to calculate the Default and Denial durations for non
> changing zones?

These durations are configured in that KASP, no calculations required.
The signature end time might differ from record to record depending on
time changed and jitter. Though if all records are signed simultaneously
a 'dig +dnssec' for some record will suffice to read the date on the

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170419/47f0ab6a/attachment.sig>

More information about the Opendnssec-user mailing list