On Mon, Jan 24, 2005 at 05:57:32PM -0500, Samuel Weiler wrote: > Section 2.1.2: It's still not clear exactly how the <secDNS:infData> > element's sDate, eDate and vInterval should be used: in particular, > none of these seem to specify a desired RRSIG lifetime. Perhaps sDate > and eDate are intended to do that, though it's likely that a DNSKEY > will be in use for far longer than the requested signing interval -- > perhaps another field <maxRRSIGlifetime> is needed? This way a client > could say: don't publish this DS until time X, use an RRSIG lifetime > no more than 3 days, resigning the DSset every day, and quit > publishing this DS after 30 days.
By my reading: sDate means not being put in zone before it is that time eDate means taking it out of zone (preferably minus the eDate minus lifetime of the parent RRSIG). RRSIG lifetime, if honored, is supposed to be governed the signature interval that the client desires (ie only have signature valid for 4 days at a time as it moves between sDate and eDate). Does that make sense? Mark . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
