[dns-operations] anybody awake over at comcast.net?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 8 06:45:06 UTC 2021
On Sun, Feb 07, 2021 at 10:22:49PM -0800, Paul Vixie wrote:
> my IPv6 PTRs are failing, and like last time, it's a signature
> expiration upstream of my zone:
>
> > https://dnsviz.net/d/3.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/
Just one crucial expired RRSIG, the KSK "self-signagure" of the DNSKEY
RRset of "9.5.5.0.1.0.0.2.ip6.arpa". Deprecation of algorithm 5 aside,
everything else looks OK.
But this does suggest lack of monitoring of this particular reverse
zone. With the RRSIG 4 days in the past, this appears to have been
overlooked.
The inception was 124 days in the past, so this is a 6 month RRSIG
validity, which I think is long enough to increase the odds of
complacency. If the RRSIG lifetime were only 30 days or less,
this would more likely have been subject to well-oiled automation.
I do not recommend either X.509 certificate or RRSIG lifetimes quite
this long. Shorter lifetimes IMHO promote better discipline.
--
Viktor.
More information about the dns-operations
mailing list