> -----Original Message----- > From: Mark Kosters [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 03, 2005 5:31 PM > To: Samuel Weiler > Cc: [email protected]; Scott Hollenbeck > Subject: Re: [dnsop] EPP-DNSSEC Document Updates > > On Mon, Jan 24, 2005 at 05:57:32PM -0500, Samuel Weiler wrote: > > Section 2.1.2: It's still not clear exactly how the > <secDNS:infData> > > element's sDate, eDate and vInterval should be used: in particular, > > none of these seem to specify a desired RRSIG lifetime. > Perhaps sDate > > and eDate are intended to do that, though it's likely that a DNSKEY > > will be in use for far longer than the requested signing > interval -- > > perhaps another field <maxRRSIGlifetime> is needed? This > way a client > > could say: don't publish this DS until time X, use an RRSIG > lifetime > > no more than 3 days, resigning the DSset every day, and quit > > publishing this DS after 30 days. > > By my reading: > > sDate means not being put in zone before it is that time > eDate means taking it out of zone (preferably minus the eDate > minus lifetime of the parent RRSIG). > RRSIG lifetime, if honored, is supposed to be governed the > signature interval that the client desires (ie only have signature > valid for 4 days at a time as it moves between sDate and eDate). > > Does that make sense?
Mark: are you suggesting that what's currently in there now as vInterval more correctly identifies the RRSIG lifetime? -Scott- . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
