[dns-operations] [DNSSEC] Signature lifetime
Olafur Gudmundsson
ogud at ogud.com
Fri Jun 25 08:24:52 UTC 2010
On 25/06/2010 3:47 AM, Stephane Bortzmeyer wrote:
> On Thu, Jun 24, 2010 at 06:17:10AM -0400,
> Olafur Gudmundsson<ogud at ogud.com> wrote
> a message of 39 lines which said:
>
>> Signature life time> Zone Expiry + signature refresh period
>> Everything shorter is arguably irresponsible.
>
> Some of the people who replied on this thread discussed the *minimum*
> reasonable signature lifetime. But I was more interested by the
> *maximum* (one entire year for ietf.org...). Any more thoughts on it?
>
>
It is almost irrelevant, any signature will only be cached for the TTL
on the RRset, or if the TTL is long enough that the Cache caps how long
it will keep it.
The drawback to having real long lived signatures is that unless the
data is resigned while the operator is still paying attention to the
system they will not detect resigning errors :-)
I think 2x-4x Zone expiry is reasonable max.
The main threat that people have to think about with long lived
signatures is "Signature Reuse" i.e. if the RRset changes like if the
address space is changed can someone else use that address during the
signature life time for bad purposes.
Shorter signatures cap this risk.
Olafur
Olafur
More information about the dns-operations
mailing list