DNSSEC intervals

John john at klam.ca
Fri Jan 23 17:53:05 CET 2015 

On 1/22/2015 8:32 PM, Ted Cooper wrote:
> On 23/01/15 04:50, John wrote:
>> Why a formal period between "ready" and "active", surely if the
>> publishing period is correctly chosen then a key is activated when
>> ready. Similarly when a key has reach the end of its retirement and is
>> dead, surely it should be removed from the system asap. The more junk
>> there is lying around the greater the likely hood of error.
> The time period between "ready" and "active" is the allow for the key to
> be returned in DNSKEY RR without that key actively being used in
> signing. This prevents a caching resolver being caught between a key
> rotation where it ends up with the old set of DNSKEY cached, and RRs
> signed with a new key not in that set.
>
> The same mechanism can also be used to have an key ready for emergency
> rotation. They key is already published and can be used for signing
> immediately, rather than waiting for TTLs.
I thought that was what the Publish interval was all about? Why three 
periods, /inception - publish/publish - ready/ready - active/?
I could see ready state for a standby key, maybe?  However, as these 
periods are not bound to a length of time, but to occurrence of the 
their start and end events. So a standby key can be defined as any key 
that has been published but not activated.
> At the other end, the time between active and unpublished is to allow
> for resolvers to be able to validate their old signed RR with the old
> DNSKEY until TTL for everything has passed.
That I understand, but why the period from unpublished to dead. Surely 
once a key has reached unpublished it is dead and should be deleted 
asap! So why the define a period between unpublished and dead?

John Allen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150123/81f43062/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150123/81f43062/attachment.bin>

More information about the dane-users mailing list