DNSSEC key renew time policy
Marc Lampo
marc.lampo at eurid.eu
Wed Dec 28 13:30:28 UTC 2011
Hello,
To be more precise :
1) DNSSEC key's do not expire ! (Signatures - generated with key's - do
!)
--> this message does not mean you have to *renew* DNSSEC key;
you have to regenerate signatures.
2) ISC tools generate signatures that are by default valid for one month
(30 days)
(after generation time - make sure calculating server is time sync'd)
3) I suppose, though, you are using (or : trying to use) Bind's "smart
signing".
In which case you are, unfortunately, not the first to notice
signatures
may not be regenerated in time :-(
Already several incidents - with even tld's sending expired signatures
-
happened in this area.
--> either don't use smart signing (and have some cronjob recalculate
every week
- in addition to recalculation after a change in the unsigned zone
data)
Or "thaw" and "unthaw" zone files - it has been experienced this
triggers
"smart signing" into recalculating (but double check !)
4) Although DNSSEC key's do not expire, do change them regularly :
2-3 months for ZSK's,
1-2 years for KSK's.
Kind regards,
Marc Lampo
Security Officer
EURid - for the .eu top-level-domain
-----Original Message-----
From: Eduardo Bonsi [mailto:beartcom at pacbell.net]
Sent: 27 December 2011 10:16 PM
To: bind-users at isc.org
Subject: DNSSEC key renew time policy
The DLV registry has detected problems with one or more of your zones.
Below is a summary of the errors detected. For full details, please
log into the DLV registry.
https://dlv.isc.org/
Zones for username: myusername
Signature Expired
domain.org
You will only get this message if any of your zones have problems.
I just received this message and I am wondering how much time should I
put in the automatic renew for my DNSSEC key. Right now I have it set to
21 days but that is not working as it has expired before time.
Thanks!
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com
More information about the bind-users
mailing list