[Opendnssec-user] kasp.xml Validity tag

Dupond Mailing dupond.mailinglist at gmail.com
Wed Apr 19 14:58:28 UTC 2017

Ok, your example is very clear. That's the configuration I have right now.

So if I understand, if the signature end time is set to the 3rd may, it 
must be change the 30th april or 1st may.

Thank you,


Le 19/04/2017 à 15:42, Yuri Schaeffer a écrit :
>> But I thought that the signer would have change the signature end time
>> every time it runs, right? Now the end time is set to 14 days later.
>> I'll keep an eye on it.
> Not entirely. There are 3 variables in play here:
> - Validity period (default and denial)
> - Resign Interval
> - Refresh period
> The Validity period is the period in which signatures are usable by
> validators (i.e. the timestamps you see when 'digging' a record). The
> resign interval is the amount of time the signer waits between checks to
> see if any work needs to be done for that policy. It is dormant in
> between unless you prod it manually by giving it commands on the CLI.
> Last, the refresh period is the time BEFORE the end of the validity
> period in which the signer will regenerate signatures that are about to
> expire.
> So most of the time when the signer runs (resign Interval) it will do
> nothing for a particular signature. Unless that signature is about to
> expire (Tnow > Tsignature + Ivalidity - IRefresh).
> The idea is of course that (Iresign < Irefresh < Ivalidity).
> So for example Signatures are valid for 14 days, refresh them if they
> expire within 3 days, and check for that condition every 2 hours.
> //Yuri
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170419/0784a79b/attachment.htm>

More information about the Opendnssec-user mailing list