Yuri Schaeffer
2016-12-19 20:03:29 UTC
From the RRSIG, timestamps are
... 20161219184751 20161219164734 ...
That, then, appears to be a validity timeframe of only 2+ hours?
What config parameter specifies THAT range?
2+ hours seems rather short. I *am* currently working with policy == lab
Yes, the lab policy is not anywhere near a sane policy for production.... 20161219184751 20161219164734 ...
That, then, appears to be a validity timeframe of only 2+ hours?
What config parameter specifies THAT range?
2+ hours seems rather short. I *am* currently working with policy == lab
But it helps for testing, being able to track rollovers and resigns in
realtime. The default policy is a good starting point for actual use.
Main parameters here are signatures/validity/default
+signatures/inceptionoffset +/-signatures/jitter
So that I understand correctly, the valid signature range IS, or is NOT,
related to the 'typical' KSK/ZSK rollover times?
It is not. It determines how often signatures are refreshed. It has norelated to the 'typical' KSK/ZSK rollover times?
influence on how fast keys will roll.
//Yuri