[dns-operations] [DNSSEC] Signature lifetime

Matthew Pounsett matt at conundrum.com
Wed Jun 23 14:41:45 UTC 2010

On 2010/06/23, at 09:35, Stephane Bortzmeyer wrote:

> RFC 4641 apparently has no advice about DNSSEC signature lifetimes. I
> just discovered that ietf.org has signatures valid until May
> 2011... Isn't it too long? What signature lifetime do people suggest?

Signature validity period should be at least signature publication period + TTL.  4641 phrases this in the opposite way as signature publication period being at least one maximum zone TTL duration before the end of the signature validity period (4.1.1).  

We've chosen a validity period based on our re-sign schedule, with a view to preventing emergencies; it's roughly publication period x 2. We re-sign every eight days, and have signatures valid for two weeks.  This gives us almost an entire publication period to fix problems with a re-sign, should they arise.  Easily enough to handle a long weekend without needing to call anyone back to the city.


More information about the dns-operations mailing list