[dns-operations] [DNSSEC] Signature lifetime

Matt Larson mlarson at verisign.com
Wed Jun 23 14:23:48 UTC 2010

On Wed, 23 Jun 2010, George Barwood wrote:
> I'm currently using Expiry Time = Current Time + TTL + 2 days when signing.

A signing failure on a Friday afternoon with a signature duration that
short could ruin your long weekend.

> I think 2 days is quite short, 7 - 10 days is probably more
> conservative, to give longer to fix things if the master server goes
> down.

For both the root and com/net/edu we chose seven days.  It felt like a
good compromise that was long enough to avoid operational terror at
the prospect of a worst-case signing failure of some kind and short
enough to limit the exposure of a child zone owner and make it harder
to reasonably complain that it's too long.


More information about the dns-operations mailing list