-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Maurice,
> I noticed that the signature validity time gets added to the > retire period for keys. I am wondering why this is ? I have a TTL > of 1 hour for the keys. My signature validity time is 28 days. > With a TTL of 1H for the keys I think that normally it would be > safe for the old ZSK to stay in the retire state for a few hours > and then be marked dead. Well the fact that your keys (i.e. DNSKEY records) will be cached for 1H says nothing about the TTL of the other records. Signatures get the TTL of the records they are signing. As long as these records are still cached the key must be (post)published. > But now it wil be in the retire state for 28 days. I think this is > strange. Or am I missing something ? What you are missing is what the signer does. Instead of generating all new signatures with the new key at once it will only replace the (soon to be) expired signatures. And keep both the new and old key published until this transition is done. Which could potentially take the validity time. //Yuri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlNirsoACgkQI3PTR4mhavj/SQCguA0vn8zLoNBPcT6rTTEyMN0+ 0FUAnR0SSVKLBxI0b2GuSdTEpEU04qda =SiqG -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
