Hi Thomas,
On 07.08.20 22:18, Thomas wrote:
I have the requirement to re-sign my zones exactly
every 24 hours. I'm
not sure how to achieve this, because I'm not clear about the
correlation of the following parameters:
zsk-lifetime
propagation-delay
rrsig-lifetime
rrsig-refresh
rrsig-pre-refresh
Can anybody give a hint what values I need to have an exact re-signing
period of 24 hours?
You can configure knot to renew your signatures every 24 hours:
rrsig-lifetime defaults to 14 days (validity period). Let's keep that.
rrsig-refresh defaults to 7 days and is coupled to rrsig-lifetime. Set
it to 13 days so that signatures are re-newed 13 days before they expire
which is your required 24 hours.
So, the required setting is only:
rrsig-refresh: 13d
Note, we ignored that the signatures are created with an inception time
of 90 minutes in the past. This means, knot will resign your zone every
24h - 90min interval. If this is a problem for you, you need to either
decrease rrsig-lifetime by 90min or increase rrsig-refresh by 90min.
Even then, it will likely not happen exactly every 24h as
rrsig-pre-refresh (defaults to 60min) allows knot to refresh it up to 60
minutes before. This is to avoid re-signing huge numbers of signatures
all at the same time. In my opinion, I would just use the
"rrsig-refresh" option as shown above.
I once made a picture how this parameters align together:
https://switchsecurityblog.files.wordpress.com/2014/11/blog-time-in-dnssec.…
Daniel