[dns-operations] negative dnssec replies
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Nov 28 20:56:23 UTC 2016
> On Nov 28, 2016, at 3:23 PM, Router Log <logrouterlog at gmail.com> wrote:
>
> I still think there must be a more elegant method out there that doesn't involve keeping the private key on the shop floor.
The key in question is just the ZSK. Keeping those on-line is
no more risky than keeping web server private keys on-line. In
fact often safer, since the KSK signature over the ZSK often has
a shorter lifetime. Even the KSK effective lifetime (signature
lifetime of DS RRset in parent zone) is comparatively short. I
would suggest that the reluctance to have DNS signing keys online
is a meme that has outlived its usefulness. By all means, if
off-line works for you, do it, but there is not a compelling reason
to do that.
--
Viktor.
More information about the dns-operations
mailing list