Matthijs Mekking <[email protected]> writes: >> Mathematically, I think the actually time needed to wait is 30 % >> queryInterval, which may actually be 0 in some cases and just shy of >> queryInterval in others. Sound about right? > > I am sorry, I don't understand this logic, can you elaborate? > > The way I see it, queryInterval is always at minimal 1 hr and at most 15 > days (not taking into account retryTime).
In the end, the first (newly valid) time the validator queries for and gets the new dnskey will be N minutes after the signature expiration time. The validators timer will start at that point. Because queryInterval is always equal to or less than 15 days, the validator will always see the key twice before the 30 day window is up. So if 30 days is a multiple of the query Interval (eg, 15 days, or 5 days) then the first time the validator will see the key after the 30 day window is N minutes after the expiration time plus 30 days. Thus only 1 query interval needs to be added in this ideal case. The less than ideal case is when 30 isn't evenly divisible by the queryInterval (eg, 7 days). At which point the first time the validator will see the new key after the (sig_exp + N + 30 days) mark will be at (sig_exp + N + 30 days + remainder(30 days / 7)). So we don't need to add in a full queryInterval to cover the offset and can calculate it instead. (that being said, I put "you might pick 2x for simplicity" into the draft) -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
