[Pdns-users] KSK Key time

Fri Jun 29 12:58:26 UTC 2012

On 06/29/2012 01:55 PM, Steffan Noord wrote:
> I noticed the paged but didnt onderstand it
> 
> So 
> The 2 weeks signature I can ignore
> 

No :)

But I think I understand where your confusion is. Keys have no live
time, signatures do.

$ dig +dnssec -t DNSKEY adns1.de

; <<>> DiG 9.7.0-P1 <<>> +dnssec -t DNSKEY adns1.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18795
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1200
;; QUESTION SECTION:
;adns1.de.                      IN      DNSKEY

;; ANSWER SECTION:
adns1.de.               86355   IN      DNSKEY  257 3 7
AwEAAcGf3iRl4grAc6JH2uu2FZ85IR34OBZLwUK3pTLPsGRtrYflNJST
E3Zz/G+8qQsygmLKxs9IB+MPEOtsWtvCcthF5XPAs18imq6Os9zmocYs
GMqZCIDVk91L+q0cF61xvt0pLodE1LhkPVw4trSlG/UrVttu21EDcCw6
j+HgY16QhD0Zf4TAiKolRcVb05WpVn7PAEyejMbqqAZJlthlylxqtAhP
0OaTIK80HWKp/Tm13sMR9FqDG9UsYf9jyTeUoZ+9VEyY4xQOgj/p1kJu
6tmCg0cyazE72GnWaJmtcEgPvswARj+dud6ncYfcQhSygvut/9ELC6NS CPwdMgMCnKc=
adns1.de.               86355   IN      DNSKEY  256 3 7
AwEAAc2DV53dOIqxlq+YijjMPoRHoPZzzYKnJXcy491RJnTzaPiEGOLT
vhpBMt7c+IOn9mRdEv3PU3m0WFbeb6Uv8VNf+dc2CTFPGBz8DUIS3DEb
cUJdoG/5U000f/Kqyjgahr5LQHHJGXU4UAK3Jd1YeBKiCgx9mpE7xwCe wspMhutB
adns1.de.               86355   IN      DNSKEY  256 3 7
AwEAAcbLMvWxXjVvtEoIRg2IT7lzZUCDz9tC2cI2oymrUUawiO0y5aFL
QCHeWlr+5HwWjclXO8WSavC+rCTV/QXA60OgGMupXVfO9eZgiaUgnYcX
7xTSdQxK4KKRJ3RHPXjWPvRWDpeIwOobgPEB0DvuLBz8onmoEq+kVbpi wq5Hd2jr
adns1.de.               86355   IN      RRSIG   DNSKEY 7 2 86400
20120712000000 20120628000000 49353 adns1.de.
n5AuZk3SZEx6420DKECfMh4tSHu75nw2x6temp4WjpnYr/FBDHk28/LP
AjcbxToCaV7sDsOX7o0WHqSJ3V848Vd0QHBhaSJX62tpRYdZUvVE1h1M
HNdUQxpqmS6V3bOJ7CX4IFxPsg+zu1Qze5PdTBwiuEkb/CVN+7jJnCRP
tZdb55GwpiuVkjeozPI5eHd+ktcnzWIsXaLbXhub+dbFkIIypBW5biN9
CfJ6D4frJvH3r6zH9LNugjbjt9j/8p4nSEAU68JI7dmpmTzW/WKjZi+P
AQXUVWnl4UPrtSYUs54w6jHOEXfNCSv+W1U1vgeZkd2xZIsMuavzLnAC X1MODw==

;; Query time: 7 msec
;; SERVER: 10.12.33.1#53(10.12.33.1)
;; WHEN: Fri Jun 29 14:48:24 2012
;; MSG SIZE  rcvd: 905

As you can see, the DNSKEY records have no dates /times associated but
the RRSIG does.

What the page tries to explain is where these dates come from:

 adns1.de.               86355   IN      RRSIG   DNSKEY 7 2 86400
20120712000000 20120628000000 49353 adns1.de.
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^

When you run pdns in live signing it will regenerate the signatures as
necessary.

If you were to run pdns in pre-signed mode, e.g. signing your zones with
the dnssec-tools from bind and load those zones into pdns you would have
to resign every two weeks (or rather every month as that's the default
for the dnssec-tools IIRC)

> And I can resign the domains once a year ?

I think here you are talking about key roll over, but this has nothing
to do with signature live times.

Hope this helps,
Florian