mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-02 05:20:33 -05:00
8134d46cdb
The key lifetime should not be shorter than the time it costs to introduce the successor key, otherwise keys will be created faster than they are removed, resulting in a large key set. The time it takes to replace a key is determined by the publication interval (Ipub) of the successor key and the retire interval of the predecessor key (Iret). For the ZSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of Dsgn, the maximum zone TTL and zone propagation delay (and retire safety). The sign delay is the signature validity period minus the refresh interval: The time to ensure that all existing RRsets have been re-signed with the new key. The ZSK lifetime should be larger than both values. For the KSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of the DS TTL and parent zone propagation delay (and retire safety). The KSK lifetime should be larger than both values. |
||
|---|---|---|
| .. | ||
| include | ||
| aclconf.c | ||
| dnsconf.c | ||
| kaspconf.c | ||
| log.c | ||
| Makefile.am | ||
| namedconf.c | ||
| parser.c | ||
| tests | ||