[Opendnssec-user] Two questions

Roman Serbski mefystofel at gmail.com
Mon Sep 8 14:56:30 CEST 2014


On Tue, Sep 2, 2014 at 2:37 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
>
>> And the second question: could somebody please explain the reasons
>> for increasing ZSK lifetime from 30 to 90 days in the default
>> policy?
>
> My guess is that 90 is considered "better" than 30 for people who just
> copy the defaults. Those people do not tend to be paranoid.
>
> But maybe Jakob remembers?
>
> $ git show 627d8279
> commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509
> Author: Jakob Schlyter <jakob at kirei.se>
> Date:   Wed Apr 18 12:47:28 2012 +0000
>
>     Change the default signature validity to 14 days (was 7 days)
>     Change the default ZSK lifetime to 90 days (was 30 days)

Thank you Yuri.

If I modify kasp.xml and revert to the old default values (7/30),
followed by "ods-ksmutil update kasp", do I need to perform manual ZSK
rollover or it will be handled automatically?

Thanks.



More information about the Opendnssec-user mailing list