[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    Re: [dns-operations] anybody awake over at comcast.net?
From:       Paul Vixie <paul () redbarn ! org>
Date:       2021-02-09 5:27:01
Message-ID: 20210209052701.apv26ue43hq5y63d () family ! redbarn ! org
[Download RAW message or body]

On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:
> ...
> I do not recommend either X.509 certificate or RRSIG lifetimes quite
> this long.  Shorter lifetimes IMHO promote better discipline.

for my own zones i think i'm using one year signatures and regenerating them
from "cron" once per week -- just to be safe. so, not better discipline unless
you deliberately _live_ on the edge, which i think is an unwise practice.

i expect i'll crib together some bourne shellack to check my whole signature
chains and warn me when there's less than 72 hours remaining in any validity
period. going into SERVFAIL like this is an operational risk i shouldn't take.

-- 
Paul Vixie
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]