Re: [DNSOP] requesting WGLC for 5011-security-considerations

[Wes Hardaker <wjhns1@hardakers.net>]

Matthijs Mekking <matthijs@pletterpet.nl> writes:

>> Mathematically, I think the actually time needed to wait is 30 %
>> queryInterval, which may actually be 0 in some cases and just shy of
>> queryInterval in others.  Sound about right?
>
> I am sorry, I don't understand this logic, can you elaborate?
>
> The way I see it, queryInterval is always at minimal 1 hr and at most 15
> days (not taking into account retryTime).

In the end, the first (newly valid) time the validator queries for and
gets the new dnskey will be N minutes after the signature expiration
time.  The validators timer will start at that point.  Because
queryInterval is always equal to or less than 15 days, the validator
will always see the key twice before the 30 day window is up.  So if 30
days is a multiple of the query Interval (eg, 15 days, or 5 days) then
the first time the validator will see the key after the 30 day window is
N minutes after the expiration time plus 30 days.  Thus only 1 query
interval needs to be added in this ideal case.

The less than ideal case is when 30 isn't evenly divisible by the
queryInterval (eg, 7 days).  At which point the first time the validator
will see the new key after the (sig_exp + N + 30 days) mark will be at
(sig_exp + N + 30 days + remainder(30 days / 7)).  So we don't need to
add in a full queryInterval to cover the offset and can calculate it
instead.

(that being said, I put "you might pick 2x for simplicity" into the draft)
-- 
Wes Hardaker
USC/ISI