29 Led
2014
29 Led
'14
20:25
Hi Jan,
On 29 Jan 2014, at 17:20 , Jan Včelák <jan.vcelak(a)nic.cz> wrote:
Makes
sense, I think Jan might tell more about the plans for future?
Yes, you are right - this is not optimal, but definitelly better than with the
hardcoded signature refresh time. ;-)
Agreed ;-)
Secondly,
prior to this release, the signatures were refreshed two hours
before their expiration, which was found to be extremely insufficient.
With
the new release, signatures are refreshed one tenth of the signature
lifetime before their expiration. With the default configuration, the
signature lifetime is 30 days, which implies that the signatures are
refreshed three days before the expiration.
In this particular area I think BIND9 has it right. To begin with BIND9
uses 1/4 of the signature lifetime as the default for when to resign. In
addition to that there is a configuration parameter called "resigning
interval" which specifies the amount of "remaining lifetime" in the
signature before it will get resigned.
I.e. with a signature lifetime of ten days and a resigning interval of
four days the zone will get resigned every six days if nothing else
changes.
This makes a lot of sense, because a fixed percentage of the signature
lifetime simply doesn't work for very long or very short lifetimes. We didn't wanted to add a new configuration
option, as we are working on
something similar to KASP (in OpenDNSSEC), which would control the resigning
in the future. And the policy definition will be most probably separated from
server configuration.
I'm all in favour of separating signing policy from server config. So if you're
working on something a la KASP then I fully agree that's where the resigning policy
should be.
Regards,
Johan