[dns-operations] 10% was Re: .mm ....

Joe Abley jabley at hopcount.ca
Sat Jan 19 02:31:08 UTC 2013 

On 2013-01-19, at 06:05, Edward Lewis <Ed.Lewis at neustar.biz> wrote:

> The posed question is whether expanding the lifetime of a signature by "10%" is a good idea.

I'll assume (since I didn't see the original mail) that the proposal is to make validators tolerant by 10%, rather than to change anything on the authority server or on the signers. (If you want to extend the validity of a signature by 10% when you sign the zone you can already do that just by changing the parameters used by your signer.)

If the idea is "I'll tolerate an expired signature for 10% of the original validity period" (I didn't see the original mail) then you're just trading a failure today for a failure today + T. I don't think there's much practical difference between those outcomes. I don't see the point of the change.

If the idea is "I'll tolerate an expired signature for 10% of the original validity period and use that extra time to shout loudly about the fact that there is a failure" then I'd suggest just setting your monitoring systems to start the loud klaxons when you only have 10% validity remaining, and avoid the change too.

I don't see much good, here.

I think the main things that are missing from the world are:

 - a pragmatic approach to setting signature validity periods in signers, mindful of operational considerations

 - people monitoring their own zones and getting early warnings when signer policy appears not to be reflected in the DNS

If you plan to refresh your signatures every 7 days, you know that sometimes there are failures which might take 4 days to mitigate (long weekends, etc) and you know that the number "4" in the preceding phrase is a bit woolly, then make your signature validity 7 + 3 * 4 = 19 days. If 3 is not a good enough woolly factor, make it higher. If 4 is not enough days, make it higher.

If you see signatures persist beyond 7 days, sound the alarm, but know that you don't have to panic because you have another (e.g.) 12 days before any embarrassing impact of human waste vs. rotating blades.

The numbers here all depend on local circumstances. I can't imagine a "10%" style number that would have universal application. If these kinds of things are too hard to think about, don't deploy DNSSEC.


Joe

More information about the dns-operations mailing list