5011 Calculator

This page allows you to insert parameters that show how RFC5011 parameters affect the proposed refinement timing in draft-ietf-dnsop-rfc5011-security-considerations. This simulation does not (yet) simulate network failures, only delays. You're welcome to clone the source for this page on github

The following publishing parameters can be used to control the timing results:

Add Hold Down Time

You probably don't want to change this

publicationTime

Unix epoch timestamp (zero is easiest on humans)

sigExpirationTime

TTL

of the DNSKEY RRSIGs

Delay Drift Safety

Should be minimum of activeRefesh!
(Any clock drift may result in a resolver delaying acceptance up to one activeRefesh value)

Retry Safety Margin

A reasonable amount of buffer; see draft Section 6.1.8 for suggested values.

The following are resolvers simulation parameters:

Resolver Query Offset Amount

Amount beyond publication the resolver will first query;
Will be limit to an upper value of activeRefresh-1 (see below).

Resolver Query Drift Amount

Network, clock drift and calculation delays that delay subsequent queries.

Is Being Attacked

Is the resolver under a successful replay attack?

Calculated Parameters:

activeRefresh

The resolver will query every this many sceonds + the drift amount

activeRefreshOffset

If non-zero, the addHoldDownTime is not divisble by activeRefresh.

Timing Results

The goal is to never have the green "DNSKEY Accepted" line's mark greater than the appropriate red line.

Timing Results Detail Table