[Opendnssec-develop] Proposed KASP changes for 1.4/trunk
Sion Lloyd
sion at nominet.org.uk
Wed Apr 18 07:27:14 UTC 2012
+1
Should we communicate this change to the users list to encourage people to check their own policy? In case folk used the old defaults without noticing.
________________________________________
From: opendnssec-develop-bounces at lists.opendnssec.org [opendnssec-develop-bounces at lists.opendnssec.org] on behalf of Roland van Rijswijk [Roland.vanRijswijk at surfnet.nl]
Sent: 17 April 2012 15:54
To: Jakob Schlyter
Cc: <opendnssec-develop at lists.opendnssec.org> Developers
Subject: Re: [Opendnssec-develop] Proposed KASP changes for 1.4/trunk
+1
On 17 apr. 2012, at 15:04, Jakob Schlyter wrote:
> I think we should consider increasing the default signature lifetime to 14 days and the ZSK lifetime to 90 days.
>
> What say you?
>
> jakob
>
>
> Index: kasp.xml.in
> ===================================================================
> --- kasp.xml.in (revision 6260)
> +++ kasp.xml.in (working copy)
> @@ -21,8 +21,8 @@
> <Resign>PT2H</Resign>
> <Refresh>P3D</Refresh>
> <Validity>
> - <Default>P7D</Default>
> - <Denial>P7D</Denial>
> + <Default>P14D</Default>
> + <Denial>P14D</Denial>
> </Validity>
> <Jitter>PT12H</Jitter>
> <InceptionOffset>PT3600S</InceptionOffset>
> @@ -58,7 +58,7 @@
> <!-- Parameters for ZSK only -->
> <ZSK>
> <Algorithm length="1024">8</Algorithm>
> - <Lifetime>P30D</Lifetime>
> + <Lifetime>P90D</Lifetime>
> <Repository>SoftHSM</Repository>
> <!-- <ManualRollover/> -->
> </ZSK>
>
> --
> Jakob Schlyter
> Kirei AB - http://www.kirei.se/
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list