[dns-operations] anybody awake over at comcast.net?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 8 08:06:04 UTC 2021

On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:

> The inception was 124 days in the past, so this is a 6 month RRSIG
> validity, which I think is long enough to increase the odds of
> complacency.  If the RRSIG lifetime were only 30 days or less,
> this would more likely have been subject to well-oiled automation.

Well, 4 months actually, but still too long IMHO...

> I do not recommend either X.509 certificate or RRSIG lifetimes quite
> this long.  Shorter lifetimes IMHO promote better discipline.


More information about the dns-operations mailing list