[Dnssec-deployment] Signature refresh interval Vs. SOA Expire

[Rickard Bellgrim]

Hi

This is a follow-up on the discussion we had two months ago.

We (.SE) have decided to harmonize the signature lifetimes and the SOA Expire, where we focus on the availability of the zone but also taking the security of DNSSEC into account. We will, on the 18th May, change the signature lifetimes to be between 10.2 and 14.2 days and also to lower the SOA Expire to 10 days. We will thus have 7 days to assess the problem and work on it before we have to make a decision to start our emergency routines (remove DS and start manual distribution of the zone). 

The different values are based on a set of formulas where the input is the time we would like to have in order to make a decision to start the emergency routines.

*** Always have valid signatures in the name server ***
Signature Refresh = SOA Expire + Propagation Delay + TTLdnskey
Propagation Delay = 2 hours
TTLdnskey = 2 hours

*** Keep the old signature renewal rate ***
Signature Validity = Signature Refresh + 3 days
Jitter = 1 day

*** Time to remove the DS from root ***
DprpP = 2 days (propagation delay in the parent zone)
TTLds = 1 day

*** When to make a decision to remove DS from root ***
Tret < SOA Expire - DprpP - TTLds

// Rickard

On 28 feb 2011, at 10.34, Rickard Bellgrim wrote:

> Keeping a fresh zone is now important with DNSSEC. The remaining signature lifetime limits how long time you have to restore your operations. .SE currently have signatures with remaining validity between 4 and 8 days, but with a SOA Expire on 28 days. This means that we have four days to get our servers up and running with an up-to-date zone. After the four days we have a zone with expired signatures for another 24 days. This is a little bit hazardous and we would like to change this. We see that there are two options here: