<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div class="">+1 for short RRSIG times and the discipline it enforces. We went down this path when building DNSSEC for Route 53, ZSK signatures are on the order of 10 hours:</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.9);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class=""><a href="http://hilander.com" class="">hilander.com</a>.<span class="Apple-tab-span" style="white-space:pre">
</span>3599 IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG DNSKEY 13 2 3600 20210210090000 (</span></div>
<div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.9);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre"></span>20210209230000 38680
<a href="http://hilander.com" class="">hilander.com</a>.</span></div>
<div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.9);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre"></span>3H3QZt3qC2XbqkbumqsvRVeVrtgJVVRVGC/TZkc7vMuN</span></div>
<div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.9);" class="">
<span style="font-variant-ligatures: no-common-ligatures" class=""><span class="Apple-tab-span" style="white-space:pre"></span>IdlL/wZrw+qBfYaSOex7dOp2PUP7pwW+NUgCXc2F7Q== )</span></div>
</div>
<div class=""><br class="">
</div>
<div class="">A bunch of risks with this approach that needs to be mitigated, especially around static stability in the face of an issue with the ZSK signing process. But all solvable. As part of this we also automated ZSK rotation (which happens less often,
but still on the order of once a week). </div>
<div class=""><br class="">
</div>
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 8, 2021, at 9:27 PM, Paul Vixie <<a href="mailto:paul@redbarn.org" class="">paul@redbarn.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.<br class="">
<br class="">
<br class="">
<br class="">
On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:<br class="">
<blockquote type="cite" class="">...<br class="">
I do not recommend either X.509 certificate or RRSIG lifetimes quite<br class="">
this long. Shorter lifetimes IMHO promote better discipline.<br class="">
</blockquote>
<br class="">
for my own zones i think i'm using one year signatures and regenerating them<br class="">
from "cron" once per week -- just to be safe. so, not better discipline unless<br class="">
you deliberately _live_ on the edge, which i think is an unwise practice.<br class="">
<br class="">
i expect i'll crib together some bourne shellack to check my whole signature<br class="">
chains and warn me when there's less than 72 hours remaining in any validity<br class="">
period. going into SERVFAIL like this is an operational risk i shouldn't take.<br class="">
<br class="">
--<br class="">
Paul Vixie<br class="">
_______________________________________________<br class="">
dns-operations mailing list<br class="">
<a href="mailto:dns-operations@lists.dns-oarc.net" class="">dns-operations@lists.dns-oarc.net</a><br class="">
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>