[Opendnssec-user] kasp.xml Validity tag

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Apr 19 13:42:38 UTC 2017

> But I thought that the signer would have change the signature end time
> every time it runs, right? Now the end time is set to 14 days later.
> I'll keep an eye on it.

Not entirely. There are 3 variables in play here:

- Validity period (default and denial)
- Resign Interval
- Refresh period

The Validity period is the period in which signatures are usable by
validators (i.e. the timestamps you see when 'digging' a record). The
resign interval is the amount of time the signer waits between checks to
see if any work needs to be done for that policy. It is dormant in
between unless you prod it manually by giving it commands on the CLI.
Last, the refresh period is the time BEFORE the end of the validity
period in which the signer will regenerate signatures that are about to

So most of the time when the signer runs (resign Interval) it will do
nothing for a particular signature. Unless that signature is about to
expire (Tnow > Tsignature + Ivalidity - IRefresh).

The idea is of course that (Iresign < Irefresh < Ivalidity).
So for example Signatures are valid for 14 days, refresh them if they
expire within 3 days, and check for that condition every 2 hours.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170419/e1535563/attachment.bin>

More information about the Opendnssec-user mailing list