git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Mon, 9 May 2022 11:56:45 +0000 (13:56 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Tue, 31 May 2022 15:16:53 +0000 (17:16 +0200)
commit	3cfbe31176ff3119666bb1471fc87ba25a647e99
tree	d90e36d7f1b0e291d0311b264e574830433333f0	tree \| snapshot
parent	2036a8b1613034cf47bdbc49c2e7e38cb09d10de	commit \| diff

Error if key lifetime is too short

The key lifetime should not be shorter than the time it costs to
introduce the successor key, otherwise keys will be created faster than
they are removed, resulting in a large key set.

The time it takes to replace a key is determined by the publication
interval (Ipub) of the successor key and the retire interval of the
predecessor key (Iret).

For the ZSK, Ipub is the sum of the DNSKEY TTL and zone propagation
delay (and publish safety). Iret is the sum of Dsgn, the maximum zone
TTL and zone propagation delay (and retire safety). The sign delay is
the signature validity period minus the refresh interval: The time to
ensure that all existing RRsets have been re-signed with the new key.
The ZSK lifetime should be larger than both values.

For the KSK, Ipub is the sum of the DNSKEY TTL and zone propagation
delay (and publish safety). Iret is the sum of the DS TTL and parent
zone propagation delay (and retire safety). The KSK lifetime should be
larger than both values.

(cherry picked from commit 8134d46cdb2ed592c4c4a3b21f7419621c25527f)

bin/tests/system/checkconf/kasp-bad-lifetime.conf	[new file with mode: 0644]	blob
bin/tests/system/checkconf/tests.sh		diff \| blob \| blame \| history
lib/isccfg/kaspconf.c		diff \| blob \| blame \| history