[Opendnssec-user] Two questions

Tom Hendrikx tom at whyscream.net
Mon Sep 8 17:36:47 CEST 2014

On 09/08/2014 02:56 PM, Roman Serbski wrote:
> On Tue, Sep 2, 2014 at 2:37 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
>>> And the second question: could somebody please explain the reasons
>>> for increasing ZSK lifetime from 30 to 90 days in the default
>>> policy?
>> My guess is that 90 is considered "better" than 30 for people who just
>> copy the defaults. Those people do not tend to be paranoid.
>> But maybe Jakob remembers?
>> $ git show 627d8279
>> commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509
>> Author: Jakob Schlyter <jakob at kirei.se>
>> Date:   Wed Apr 18 12:47:28 2012 +0000
>>     Change the default signature validity to 14 days (was 7 days)
>>     Change the default ZSK lifetime to 90 days (was 30 days)
> Thank you Yuri.
> If I modify kasp.xml and revert to the old default values (7/30),
> followed by "ods-ksmutil update kasp", do I need to perform manual ZSK
> rollover or it will be handled automatically?

I was bitten by this change while adopting it in my setup, then
forgetting to manually trigger a resign, causing my public signatures
(containing the old 7 days setting) to expire because ODS thought it
wasn't required to resign until somewhere between 7 and 14 days after I
updated the config. If you don't change signature validity, I shouldn't
give issues. So:

# ods-ksmutil update all (or kasp)
# for d in $domainlist; do ods-signer sign $d; done


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140908/8f2a9afa/attachment.sig>

More information about the Opendnssec-user mailing list