Commit a7fe3983 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

ksk rollover: next publish time based on time created instead of active

to avoid too big difference between zones sharing the key
parent 314b1e58
......@@ -197,12 +197,12 @@ static time_t zsk_remove_time(time_t retire_time, const kdnssec_ctx_t *ctx)
return retire_time + ctx->policy->propagation_delay + ctx->policy->zone_maximal_ttl;
}
static time_t ksk_publish_time(time_t active_time, const kdnssec_ctx_t *ctx)
static time_t ksk_publish_time(time_t created_time, const kdnssec_ctx_t *ctx)
{
if (active_time <= 0 || active_time >= TIME_INFINITY) {
if (created_time <= 0 || created_time >= TIME_INFINITY) {
return TIME_INFINITY;
}
return active_time + ctx->policy->ksk_lifetime; // TODO better minus something ?
return created_time + ctx->policy->ksk_lifetime;
}
static time_t ksk_ready_time(time_t publish_time, const kdnssec_ctx_t *ctx)
......@@ -256,7 +256,7 @@ static roll_action next_action(kdnssec_ctx_t *ctx)
break;
case DNSSEC_KEY_STATE_ACTIVE:
if (!is_ksk_published) {
keytime = ksk_publish_time(key->timing.active, ctx);
keytime = ksk_publish_time(key->timing.created, ctx);
restype = PUBLISH;
}
break;
......
......@@ -77,12 +77,12 @@ ZSK2 = "246d81610c3e3e1cf99ffa1eecd95f1deee01f0e"
t.rel_sleep(0)
# note that some of these paraneters will be immediately or later modified by automated key management
child.key_set(ZONE, KSK1, publish="t-2y", ready="t-1y", active="t-1y", retire="t+10y", remove="t+20y")
child.key_set(ZONE, KSK1, created="t-2y", publish="t-2y", ready="t-1y", active="t-1y", retire="t+10y", remove="t+20y")
# KSK1's retire and remove shall be reconfigured by Knot to soon as KSK2 takes place
child.key_set(ZONE, KSK2, publish="t+0", ready="t+1h", active="t+10y", retire="t+11y", remove="t+12y")
child.key_set(ZONE, ZSK1, publish="t-20", ready="t-10", active="t-10", retire="t+15y", remove="t+20y")
child.key_set(ZONE, KSK2, created="t+0", publish="t+0", ready="t+1h", active="t+10y", retire="t+11y", remove="t+12y")
child.key_set(ZONE, ZSK1, created="t-20", publish="t-20", ready="t-10", active="t-10", retire="t+15y", remove="t+20y")
# ZSK1 simply valid for all the time
child.key_set(ZONE, ZSK2, publish="t-2", ready="t+14y", active="t+14y", retire="t+31y", remove="t+36y")
child.key_set(ZONE, ZSK2, created="t-2", publish="t-2", ready="t+14y", active="t+14y", retire="t+31y", remove="t+36y")
# ZSK2 only reason: prevents Knot from publishing another ZSK
t.start()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment