[Opendnssec-user] kasp.xml Validity tag

Discussion:

Dupond Mailing

2017-04-19 10:54:14 UTC

Hello guys,

Recently, some zones were not secured anymore because of the Validity
Period. The reason was that the signature expiration field of the RRSIG
RR was too old.

For this time, I solved this problem by updating my zone. But I don't
want to update all of my zones to avoid this.

Is there any rule to calculate the Default and Denial durations for non
changing zones?

Thanks!

Gilles

Yuri Schaeffer

2017-04-19 11:59:40 UTC

Permalink

Hi Gilles,

Post by Dupond Mailing
Recently, some zones were not secured anymore because of the Validity
Period. The reason was that the signature expiration field of the RRSIG
RR was too old.
For this time, I solved this problem by updating my zone. But I don't
want to update all of my zones to avoid this.

I'm not sure if I understand your problem correctly. OpenDNSSEC is
specifically designed to do this. So as long as it is running
(specifically the signer in this case) it should take care or renewing
signatures.

If you don't want to change your zones after signing and don't want to
have OpenDNSSEC running you can just set the signature validity to a
period ending after your retirement and hope someone else will be there
to deal with it by that time. Is this what you are asking?

Post by Dupond Mailing
Is there any rule to calculate the Default and Denial durations for non
changing zones?

Dupond Mailing

2017-04-19 13:12:25 UTC

Permalink

Hello Yuri,

I solved this problem for others zones by using the "sign" command from
the ods-signer cli.

But I thought that the signer would have change the signature end time
every time it runs, right? Now the end time is set to 14 days later.
I'll keep an eye on it.

Thanks

Post by Yuri Schaeffer
Hi Gilles,

I'm not sure if I understand your problem correctly. OpenDNSSEC is
specifically designed to do this. So as long as it is running
(specifically the signer in this case) it should take care or renewing
signatures.
If you don't want to change your zones after signing and don't want to
have OpenDNSSEC running you can just set the signature validity to a
period ending after your retirement and hope someone else will be there
to deal with it by that time. Is this what you are asking?

Post by Dupond Mailing
Is there any rule to calculate the Default and Denial durations for non
changing zones?

These durations are configured in that KASP, no calculations required.
The signature end time might differ from record to record depending on
time changed and jitter. Though if all records are signed simultaneously
a 'dig +dnssec' for some record will suffice to read the date on the
signature.
Best regards,
Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Yuri Schaeffer

2017-04-19 13:42:38 UTC

Permalink

Post by Dupond Mailing
But I thought that the signer would have change the signature end time
every time it runs, right? Now the end time is set to 14 days later.
I'll keep an eye on it.

Not entirely. There are 3 variables in play here:

- Validity period (default and denial)
- Resign Interval
- Refresh period

The Validity period is the period in which signatures are usable by
validators (i.e. the timestamps you see when 'digging' a record). The
resign interval is the amount of time the signer waits between checks to
see if any work needs to be done for that policy. It is dormant in
between unless you prod it manually by giving it commands on the CLI.
Last, the refresh period is the time BEFORE the end of the validity
period in which the signer will regenerate signatures that are about to
expire.

So most of the time when the signer runs (resign Interval) it will do
nothing for a particular signature. Unless that signature is about to
expire (Tnow > Tsignature + Ivalidity - IRefresh).

The idea is of course that (Iresign < Irefresh < Ivalidity).
So for example Signatures are valid for 14 days, refresh them if they
expire within 3 days, and check for that condition every 2 hours.

//Yuri

Dupond Mailing

2017-04-19 14:58:28 UTC

Permalink

Ok, your example is very clear. That's the configuration I have right now.

So if I understand, if the signature end time is set to the 3rd may, it
must be change the 30th april or 1st may.

Thank you,

Gilles

Post by Yuri Schaeffer

Post by Dupond Mailing
But I thought that the signer would have change the signature end time
every time it runs, right? Now the end time is set to 14 days later.
I'll keep an eye on it.

- Validity period (default and denial)
- Resign Interval
- Refresh period
The Validity period is the period in which signatures are usable by
validators (i.e. the timestamps you see when 'digging' a record). The
resign interval is the amount of time the signer waits between checks to
see if any work needs to be done for that policy. It is dormant in
between unless you prod it manually by giving it commands on the CLI.
Last, the refresh period is the time BEFORE the end of the validity
period in which the signer will regenerate signatures that are about to
expire.
So most of the time when the signer runs (resign Interval) it will do
nothing for a particular signature. Unless that signature is about to
expire (Tnow > Tsignature + Ivalidity - IRefresh).
The idea is of course that (Iresign < Irefresh < Ivalidity).
So for example Signatures are valid for 14 days, refresh them if they
expire within 3 days, and check for that condition every 2 hours.
//Yuri
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user