To paraphrase the key timings draft:
* A key in the "publish" state moves into the "ready" state when it has
* been published for at least:
*
* Ipc = TTLkeyc + Dpc +Sp
*
* ... where:
*
* TTLkeyc = TTL of the ZSK DNSKEY record
* Dpc = Propagation delay
* Sp = Publish Safety Margin
*
OpenDNSSEC will attempt to publish a key at least this far ahead of the
previous ZSK's retire time. It is slightly complicated by the run interval of
the enforcer, so might be a bit earlier.
Generation may be as required (i.e. it will be generated and published at the
same time) or you may generate a whole batch of keys ahead of schedule.
Sion
________________________________
From: [email protected]
[[email protected]] on behalf of Javier Jiménez
Huedo [[email protected]]
Sent: 13 May 2014 13:18
To: [email protected]
Subject: [Opendnssec-user] How to calc new ZSK / KSK and pre-publish date
Dear OpenDNSSEC users,
I am confused about the following behavior of openDNSSEC:
I have the following ZSK active key:
Key type State: Next transition:
ZSK active 2014-05-19 16:02:20 (retire)
KSK Lifetime P20D
ZSK LifeTime P10D
How I can calculate the date of generation of the next ZSK key?
How I can calculate the date of pre-publication next ZSK key?
Kasp.xml:
<Signatures>
<Resign>PT5H</Resign>
<Refresh>P2D</Refresh>
<Validity>
<Default>P5D</Default>
<Denial>P5D</Denial>
</Validity>
<InceptionOffset>PT3600S</InceptionOffset>
...
<Signatures>
<keys>
<TTL>PT3600S</TTL>
<PublishSafety>PT1H</PublishSafety>
...
</keys>
<Zone>
<PropagationDelay>PT30S</PropagationDelay>
...
</zone>
<parent>
<PropagationDelay>PT5H</PropagationDelay>
<DS><TTL>P1D</TTL></DS>
<SOA><TTL>P1D</TTL> <Minimum>P1D</Minimum></SOA>
</parent>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
