[dns-operations] [DNSSEC] Signature lifetime
George Barwood
george.barwood at blueyonder.co.uk
Wed Jun 23 13:52:43 UTC 2010
I'm currently using Expiry Time = Current Time + TTL + 2 days when signing.
This is with small zones that are signed every 5 hours, and with slaves that refresh every 30 minutes.
I think 2 days is quite short, 7 - 10 days is probably more conservative, to give longer
to fix things if the master server goes down.
I think anything much over 1 month is probably excessive.
George
----- Original Message -----
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at lists.dns-oarc.net>
Sent: Wednesday, June 23, 2010 2:35 PM
Subject: [dns-operations] [DNSSEC] Signature lifetime
> RFC 4641 apparently has no advice about DNSSEC signature lifetimes. I
> just discovered that ietf.org has signatures valid until May
> 2011... Isn't it too long? What signature lifetime do people suggest?
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list