[Dnssec-deployment] Signature refresh interval Vs. SOA Expire

Richard Lamb richard.lamb at icann.org
Thu Apr 21 11:58:15 EDT 2011 

Rickard-

Thank you.  I have been analyzing the deployment of dnssec on many cctlds and see the SOAExp-Validity period balance to be unrealistic on some.
It is always good to see the guys at .SE lead the way (as you have always done).

-Rick




> -----Original Message-----
> From: dnssec-deployment-bounces at dnssec-deployment.org [mailto:dnssec-deployment-bounces at dnssec-
> deployment.org] On Behalf Of Rickard Bellgrim
> Sent: Tuesday, April 19, 2011 4:25 AM
> To: Rickard Bellgrim
> Cc: DNSSEC deployment
> Subject: Re: [Dnssec-deployment] Signature refresh interval Vs. SOA Expire
> 
> Hi
> 
> This is a follow-up on the discussion we had two months ago.
> 
> We (.SE) have decided to harmonize the signature lifetimes and the SOA Expire, where we focus on the
> availability of the zone but also taking the security of DNSSEC into account. We will, on the 18th
> May, change the signature lifetimes to be between 10.2 and 14.2 days and also to lower the SOA Expire
> to 10 days. We will thus have 7 days to assess the problem and work on it before we have to make a
> decision to start our emergency routines (remove DS and start manual distribution of the zone).
> 
> The different values are based on a set of formulas where the input is the time we would like to have
> in order to make a decision to start the emergency routines.
> 
> *** Always have valid signatures in the name server ***
> Signature Refresh = SOA Expire + Propagation Delay + TTLdnskey
> Propagation Delay = 2 hours
> TTLdnskey = 2 hours
> 
> *** Keep the old signature renewal rate ***
> Signature Validity = Signature Refresh + 3 days
> Jitter = 1 day
> 
> *** Time to remove the DS from root ***
> DprpP = 2 days (propagation delay in the parent zone)
> TTLds = 1 day
> 
> *** When to make a decision to remove DS from root ***
> Tret < SOA Expire - DprpP - TTLds
> 
> // Rickard
> 
> On 28 feb 2011, at 10.34, Rickard Bellgrim wrote:
> 
> > Keeping a fresh zone is now important with DNSSEC. The remaining signature lifetime limits how long
> time you have to restore your operations. .SE currently have signatures with remaining validity
> between 4 and 8 days, but with a SOA Expire on 28 days. This means that we have four days to get our
> servers up and running with an up-to-date zone. After the four days we have a zone with expired
> signatures for another 24 days. This is a little bit hazardous and we would like to change this. We
> see that there are two options here:

More information about the Dnssec-deployment mailing list