[dns-operations] [DNSSEC] Signature lifetime

Olafur Gudmundsson ogud at ogud.com
Fri Jun 25 08:24:52 UTC 2010

On 25/06/2010 3:47 AM, Stephane Bortzmeyer wrote:
> On Thu, Jun 24, 2010 at 06:17:10AM -0400,
>   Olafur Gudmundsson<ogud at ogud.com>  wrote
>   a message of 39 lines which said:
>> Signature life time>  Zone Expiry + signature refresh period
>> Everything shorter is arguably irresponsible.
> Some of the people who replied on this thread discussed the *minimum*
> reasonable signature lifetime. But I was more interested by the
> *maximum* (one entire year for ietf.org...). Any more thoughts on it?

It is almost irrelevant, any signature will only be cached for the TTL 
on the RRset, or if the TTL is long enough that the Cache caps how long 
it will keep it.

The drawback to having real long lived signatures is that unless the 
data is resigned while the operator is still paying attention to the 
system they will not detect resigning errors :-)

I think 2x-4x Zone expiry is reasonable max.

The main threat that people have to think about with long lived 
signatures is "Signature Reuse" i.e. if the RRset changes like if the 
address space is changed can someone else use that address during the 
signature life time for bad purposes.

Shorter signatures cap this risk.



More information about the dns-operations mailing list