Skip to content

DNSSEC: signatures refreshing

Jan Včelák requested to merge dnssec-resign-early into master

Included changes:

  • The signatures are now refreshed (signature_lifetime / 10) seconds before their expiration. The default signature lifetime is 30 days, therefore the signatures are refreshed 3 days before their expiration.
  • The parameter 'expires_at' in signing functions was renamed to 'refresh_at', as the name was misleading.
  • The signing policy structure was cleaned and helper functions were added.
  • DNSSEC event logging was changed from relative to absolute value, because the intervals are much longer now.

Merge request reports