[dns-operations] [DNSSEC] Signature lifetime
Olafur Gudmundsson
ogud at ogud.com
Thu Jun 24 10:17:10 UTC 2010
Signature life time > Zone Expiry + signature refresh period
Everything shorter is arguably irresponsible.
Of course how a zone is refreshed makes a difference as well as how
well it is being monitored and also take into account how hard it is
to shutdown a server that is not fetching new copies of the zone.
Olafur
On 23/06/2010 10:41 AM, Matthew Pounsett wrote:
>
> On 2010/06/23, at 09:35, Stephane Bortzmeyer wrote:
>
>> RFC 4641 apparently has no advice about DNSSEC signature lifetimes. I
>> just discovered that ietf.org has signatures valid until May
>> 2011... Isn't it too long? What signature lifetime do people suggest?
>
>
> Signature validity period should be at least signature publication period + TTL. 4641 phrases this in the opposite way as signature publication period being at least one maximum zone TTL duration before the end of the signature validity period (4.1.1).
>
> We've chosen a validity period based on our re-sign schedule, with a view to preventing emergencies; it's roughly publication period x 2. We re-sign every eight days, and have signatures valid for two weeks. This gives us almost an entire publication period to fix problems with a re-sign, should they arise. Easily enough to handle a long weekend without needing to call anyone back to the city.
>
> Matt
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
More information about the dns-operations
mailing list