[Opendnssec-develop] Proposed KASP changes for 1.4/trunk

Sion Lloyd sion at nominet.org.uk
Wed Apr 18 07:27:14 UTC 2012


+1

Should we communicate this change to the users list to encourage people to check their own policy? In case folk used the old defaults without noticing.

________________________________________
From: opendnssec-develop-bounces at lists.opendnssec.org [opendnssec-develop-bounces at lists.opendnssec.org] on behalf of Roland van Rijswijk [Roland.vanRijswijk at surfnet.nl]
Sent: 17 April 2012 15:54
To: Jakob Schlyter
Cc: <opendnssec-develop at lists.opendnssec.org> Developers
Subject: Re: [Opendnssec-develop] Proposed KASP changes for 1.4/trunk

+1

On 17 apr. 2012, at 15:04, Jakob Schlyter wrote:

> I think we should consider increasing the default signature lifetime to 14 days and the ZSK lifetime to 90 days.
>
> What say you?
>
>       jakob
>
>
> Index: kasp.xml.in
> ===================================================================
> --- kasp.xml.in       (revision 6260)
> +++ kasp.xml.in       (working copy)
> @@ -21,8 +21,8 @@
>                       <Resign>PT2H</Resign>
>                       <Refresh>P3D</Refresh>
>                       <Validity>
> -                             <Default>P7D</Default>
> -                             <Denial>P7D</Denial>
> +                             <Default>P14D</Default>
> +                             <Denial>P14D</Denial>
>                       </Validity>
>                       <Jitter>PT12H</Jitter>
>                       <InceptionOffset>PT3600S</InceptionOffset>
> @@ -58,7 +58,7 @@
>                       <!-- Parameters for ZSK only -->
>                       <ZSK>
>                               <Algorithm length="1024">8</Algorithm>
> -                             <Lifetime>P30D</Lifetime>
> +                             <Lifetime>P90D</Lifetime>
>                               <Repository>SoftHSM</Repository>
>                               <!-- <ManualRollover/> -->
>                       </ZSK>
>
> --
> Jakob Schlyter
> Kirei AB - http://www.kirei.se/
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop


-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop



More information about the Opendnssec-develop mailing list