[dns-operations] anybody awake over at comcast.net?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 8 08:06:04 UTC 2021
On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:
> The inception was 124 days in the past, so this is a 6 month RRSIG
> validity, which I think is long enough to increase the odds of
> complacency. If the RRSIG lifetime were only 30 days or less,
> this would more likely have been subject to well-oiled automation.
Well, 4 months actually, but still too long IMHO...
> I do not recommend either X.509 certificate or RRSIG lifetimes quite
> this long. Shorter lifetimes IMHO promote better discipline.
--
Viktor.
More information about the dns-operations
mailing list