[dns-operations] [DNSSEC] Signature lifetime
Matt Larson
mlarson at verisign.com
Wed Jun 23 14:23:48 UTC 2010
On Wed, 23 Jun 2010, George Barwood wrote:
> I'm currently using Expiry Time = Current Time + TTL + 2 days when signing.
A signing failure on a Friday afternoon with a signature duration that
short could ruin your long weekend.
> I think 2 days is quite short, 7 - 10 days is probably more
> conservative, to give longer to fix things if the master server goes
> down.
For both the root and com/net/edu we chose seven days. It felt like a
good compromise that was long enough to avoid operational terror at
the prospect of a worst-case signing failure of some kind and short
enough to limit the exposure of a child zone owner and make it harder
to reasonably complain that it's too long.
Matt
More information about the dns-operations
mailing list