29 Led
2014
29 Led
'14
17:20
Hello Johan,
Makes
sense, I think Jan might tell more about the plans for future?
Yes, you are right - this is not optimal, but definitelly better than with the
hardcoded signature refresh time. ;-)
We didn't wanted to add a new configuration option, as we are working on
something similar to KASP (in OpenDNSSEC), which would control the resigning
in the future. And the policy definition will be most probably separated from
server configuration.
Jan
Secondly, prior to this release, the signatures were
refreshed two hours
before their expiration, which was found to be extremely insufficient.
With
the new release, signatures are refreshed one tenth of the signature
lifetime before their expiration. With the default configuration, the
signature lifetime is 30 days, which implies that the signatures are
refreshed three days before the expiration.
In this particular area I think BIND9 has it right. To begin with BIND9
uses 1/4 of the signature lifetime as the default for when to resign. In
addition to that there is a configuration parameter called "resigning
interval" which specifies the amount of "remaining lifetime" in the
signature before it will get resigned.
I.e. with a signature lifetime of ten days and a resigning interval of
four days the zone will get resigned every six days if nothing else
changes.
This makes a lot of sense, because a fixed percentage of the signature
lifetime simply doesn't work for very long or very short lifetimes.