[Opendnssec-user] rollover started automatically when ManualRollover set

Emil Natan shlyoko at gmail.com
Mon Jul 31 10:47:43 UTC 2017

Hi Yuri,

Thank you very much for the clarifications provided.

On Mon, Jul 31, 2017 at 12:39 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> Hi Emil,
> I have some clarifications.
> > There are no signatures created/remaining in the signed zone with the
> > retired key and it's completely redundant it's kept in the zonefile for
> > so long.
> I'm not sure about the order of events in your zone, you might have done
> some manual clean or resigns? But it general it isn't redundant at all
> for the old ZSK to be published for some time. Where it not for caching
> in DNS, DNSSEC would be much simpler. The old ZSK needs to be published
> as long as some resolvers still have data cached signed by the old key.
I completely understand the caching issue and why the transition time
between retire and dead key states is related to the signature validity
period. In my case though the longest TTL in the zone is a day and all
signatures are recreated at each run of the signer (Refresh period is
zero), which means there is no need for more than a day (+ some propagation
delay) for the old key to be kept in the zone. Instead it is kept for 31
days resulting a bigger DNSKEY responses for 30 more days.
What I propose is to use the refresh period in the calculation of the
period the ZSK shall be kept in the zone. I'll simplify it leaving all
safety margins and max TTL aside and say that period should be validity
period - refresh time and in the case the refresh time is zero then that
period should be max TTL + safety margins.


> example.com <http://example.com>                          ZSK
> > retire    2017-08-23 13:50:48 (dead)     2048    8
> Here we see that the retire state of the key lasts for 1 month. This is
> because your signature validity is 31 days.
> Also, the way OpenDNSSEC 1.4 works is that when it changes the state of
> a key it will calculate the time of the next state change and save it in
> the database. Changing the KASP does not affect currently set times.
Note: ODS 2.1 is more flexible in this regard.
> //Yuri
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170731/970978a7/attachment.htm>

More information about the Opendnssec-user mailing list