[dns-operations] [DNSSEC] Signature lifetime
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Jun 25 08:45:33 UTC 2010
On Fri, Jun 25, 2010 at 09:47:14AM +0200, Stephane Bortzmeyer wrote:
> On Thu, Jun 24, 2010 at 06:17:10AM -0400,
> Olafur Gudmundsson <ogud at ogud.com> wrote
> a message of 39 lines which said:
>
> > Signature life time > Zone Expiry + signature refresh period
> > Everything shorter is arguably irresponsible.
>
> Some of the people who replied on this thread discussed the *minimum*
> reasonable signature lifetime. But I was more interested by the
> *maximum* (one entire year for ietf.org...). Any more thoughts on it?
>
that one is much more fluid. depends on:
the algorithm - likelyhood of compromise
operations - forgetting how to run the operation of gen/replacement/removal
exposure - how often is the key "exposed/used" and how many sigs are against
the key are exposed
and in the end, the same questions apply on key/sig expireation/removal ...
if you don't track expire/retry/refresh ... you will likely mis-match
in the caches and there will be a period of instability at roll.
(or you could do what someone fm VSGN said .. push the sig expire out past 2039,
then its past the unix epoch and five years after I retire.... )
--bill
More information about the dns-operations
mailing list