On 1/22/2015 8:32 PM, Ted Cooper wrote:
On 23/01/15 04:50, John wrote:
Why a formal period between "ready" and "active", surely if the publishing period is correctly chosen then a key is activated when ready. Similarly when a key has reach the end of its retirement and is dead, surely it should be removed from the system asap. The more junk there is lying around the greater the likely hood of error.
The time period between "ready" and "active" is the allow for the key to be returned in DNSKEY RR without that key actively being used in signing. This prevents a caching resolver being caught between a key rotation where it ends up with the old set of DNSKEY cached, and RRs signed with a new key not in that set.
The same mechanism can also be used to have an key ready for emergency rotation. They key is already published and can be used for signing immediately, rather than waiting for TTLs.
I thought that was what the Publish interval was all about? Why three periods, /inception - publish/publish - ready/ready - active/? I could see ready state for a standby key, maybe? However, as these periods are not bound to a length of time, but to occurrence of the their start and end events. So a standby key can be defined as any key that has been published but not activated.
At the other end, the time between active and unpublished is to allow for resolvers to be able to validate their old signed RR with the old DNSKEY until TTL for everything has passed.
That I understand, but why the period from unpublished to dead. Surely once a key has reached unpublished it is dead and should be deleted asap! So why the define a period between unpublished and dead?
John Allen