[dns-operations] [DNSSEC] Signature lifetime

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Fri Jun 25 08:45:33 UTC 2010

On Fri, Jun 25, 2010 at 09:47:14AM +0200, Stephane Bortzmeyer wrote:
> On Thu, Jun 24, 2010 at 06:17:10AM -0400,
>  Olafur Gudmundsson <ogud at ogud.com> wrote 
>  a message of 39 lines which said:
> > Signature life time > Zone Expiry + signature refresh period
> > Everything shorter is arguably irresponsible.
> Some of the people who replied on this thread discussed the *minimum*
> reasonable signature lifetime. But I was more interested by the
> *maximum* (one entire year for ietf.org...). Any more thoughts on it?

	that one is much more fluid.  depends on:

	 the algorithm  - likelyhood of compromise
	 operations     - forgetting how to run the operation of gen/replacement/removal
	 exposure       - how often is the key "exposed/used" and how many sigs are against
		          the key are exposed

	and in the end, the same questions apply on key/sig expireation/removal ...
	if you don't track expire/retry/refresh ... you will likely mis-match 
	in the caches and there will be a period of instability at roll.

	(or you could do what someone fm VSGN said .. push the sig expire out past 2039,
	then its past the unix epoch and five years after I retire.... )


More information about the dns-operations mailing list