Hi, I've been wondering whether the default value (3600s) for key PublishSafety margin is too short. As OpenDNSSEC is usually used as a bump-in-the-wire signer, it has no visibility to what is actually published in DNS. When OpenDNSSEC decides to roll a key it calculates the intended pre-publication period by DNSKEY TTLs, the PublishSafety and other margins, right? When the pre-publication period has passed, ODS thinks that the new key has reached the caches and can be used for signing, but this might not be the case if for example the authoritative server(s) have been unavailable at the time when ODS published the new key.
I'm not 100% sure but IIRC there have been validation failures that have been caused by the signer (not necessarily ODS) calculating too optimistic pre-publication intervals without visibility to what is actually available in public DNS. Any thoughts? Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
