> But I thought that the signer would have change the signature end time > every time it runs, right? Now the end time is set to 14 days later. > I'll keep an eye on it.
Not entirely. There are 3 variables in play here: - Validity period (default and denial) - Resign Interval - Refresh period The Validity period is the period in which signatures are usable by validators (i.e. the timestamps you see when 'digging' a record). The resign interval is the amount of time the signer waits between checks to see if any work needs to be done for that policy. It is dormant in between unless you prod it manually by giving it commands on the CLI. Last, the refresh period is the time BEFORE the end of the validity period in which the signer will regenerate signatures that are about to expire. So most of the time when the signer runs (resign Interval) it will do nothing for a particular signature. Unless that signature is about to expire (Tnow > Tsignature + Ivalidity - IRefresh). The idea is of course that (Iresign < Irefresh < Ivalidity). So for example Signatures are valid for 14 days, refresh them if they expire within 3 days, and check for that condition every 2 hours. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
