[dns-operations] [DNSSEC] Signature lifetime

George Barwood george.barwood at blueyonder.co.uk
Wed Jun 23 13:52:43 UTC 2010

I'm currently using Expiry Time = Current Time + TTL + 2 days when signing.

This is with small zones that are signed every 5 hours, and with slaves that refresh every 30 minutes.

I think 2 days is quite short, 7 - 10 days is probably more conservative, to give longer
to fix things if the master server goes down.

I think anything much over 1 month is probably excessive.


----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
To: <dns-operations at lists.dns-oarc.net>
Sent: Wednesday, June 23, 2010 2:35 PM
Subject: [dns-operations] [DNSSEC] Signature lifetime

> RFC 4641 apparently has no advice about DNSSEC signature lifetimes. I
> just discovered that ietf.org has signatures valid until May
> 2011... Isn't it too long? What signature lifetime do people suggest?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list