[dns-operations] anybody awake over at comcast.net?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 8 06:45:06 UTC 2021


On Sun, Feb 07, 2021 at 10:22:49PM -0800, Paul Vixie wrote:

> my IPv6 PTRs are failing, and like last time, it's a signature
> expiration upstream of my zone:
> 
> > https://dnsviz.net/d/3.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/

Just one crucial expired RRSIG, the KSK "self-signagure" of the DNSKEY
RRset of "9.5.5.0.1.0.0.2.ip6.arpa".  Deprecation of algorithm 5 aside,
everything else looks OK.

But this does suggest lack of monitoring of this particular reverse
zone.  With the RRSIG 4 days in the past, this appears to have been
overlooked.

The inception was 124 days in the past, so this is a 6 month RRSIG
validity, which I think is long enough to increase the odds of
complacency.  If the RRSIG lifetime were only 30 days or less,
this would more likely have been subject to well-oiled automation.

I do not recommend either X.509 certificate or RRSIG lifetimes quite
this long.  Shorter lifetimes IMHO promote better discipline.

-- 
    Viktor.



More information about the dns-operations mailing list