On Thu, Mar 03, 2005 at 05:45:40PM -0500, Scott Hollenbeck wrote: > > On Mon, Jan 24, 2005 at 05:57:32PM -0500, Samuel Weiler wrote: > > > Section 2.1.2: It's still not clear exactly how the > > <secDNS:infData> > > > element's sDate, eDate and vInterval should be used: in particular, > > > none of these seem to specify a desired RRSIG lifetime. > > Perhaps sDate > > > and eDate are intended to do that, though it's likely that a DNSKEY > > > will be in use for far longer than the requested signing > > interval -- > > > perhaps another field <maxRRSIGlifetime> is needed? This > > way a client > > > could say: don't publish this DS until time X, use an RRSIG > > lifetime > > > no more than 3 days, resigning the DSset every day, and quit > > > publishing this DS after 30 days. > > > > By my reading: > > > > sDate means not being put in zone before it is that time > > eDate means taking it out of zone (preferably minus the eDate > > minus lifetime of the parent RRSIG). > > RRSIG lifetime, if honored, is supposed to be governed the > > signature interval that the client desires (ie only have signature > > valid for 4 days at a time as it moves between sDate and eDate). > > > > Does that make sense? > > Mark: are you suggesting that what's currently in there now as vInterval > more correctly identifies the RRSIG lifetime?
I'm not sure it is needed as it seems a bit redundant to me. Sam please correctly if I'm wrong. Mark -- Mark Kosters [EMAIL PROTECTED] Verisign Applied Research . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
