[dns-operations] anybody awake over at comcast.net?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Feb 9 07:33:50 UTC 2021


On Tue, Feb 09, 2021 at 05:27:01AM +0000, Paul Vixie wrote:

> On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:
> > ...
> > I do not recommend either X.509 certificate or RRSIG lifetimes quite
> > this long.  Shorter lifetimes IMHO promote better discipline.
> 
> for my own zones i think i'm using one year signatures and regenerating them
> from "cron" once per week -- just to be safe. so, not better discipline unless
> you deliberately _live_ on the edge, which i think is an unwise practice.
> 
> i expect i'll crib together some bourne shellack to check my whole signature
> chains and warn me when there's less than 72 hours remaining in any validity
> period. going into SERVFAIL like this is an operational risk i shouldn't take.

I have BIND 9 doing automatic signing, with 14-day validity, and a
nightly cron job that checks that every signature in every signed zone
is at least 3.14 days away from expiration, that all NS records match
glue records (as appropriate).

In older BIND releases I'd occasionally find that automatic signing
stopped, when the signatures were getting to close to expiring,  and
I'd get it going again (reload or resign the zone).  Haven't seen
that happen in some time now.  The underlying issues appear to have
been resolved.

Though my zone hardly changes, I don't sign commitments to accept one
year old data as valid.  And with "danebot" now in use, I'll be rolling
the TLSA RRs more frequently, with old keys not hanging around signed
for more than 14 days.

-- 
    Viktor.



More information about the dns-operations mailing list