is this "normal" if not what to do about it?

John john at
Tue Jan 27 23:30:26 CET 2015

On 1/27/2015 2:00 PM, Viktor Dukhovni wrote:
>> Are you recommending rolling the ZSKs every 7 days, or are you talking about
>> something else?
> NO.  I'm recommeding signature lifetimes of ~7 days for sites with
> the operational capacity to keep everything current on a tight
> schedule.  This way, signatures of stale records expire quickly.
I am still not quite sure what you mean. I have a sneaky feeling that we 
are talking about two different things.
My DNSKEYs have a life of about 60 days. which is what I thought you 
were taking about.

However, if I look a little closer I see that my RRSIG has a life of 
about 30 days. I don't remember specifying any times when I signed my 
zones, plus I am now using inline signing.
think I had better find out how to specify these values for inline.

Overkill IMHO.  Since the root zone signature is 2048 bits, anything
stronger is just a waste of bandwidth and risks interoperability
problems.  I a decade from now, perhaps we'll have interoperable
options based on soon to be defined best-practice ECC curves,

For now RSA-2048 is about as strong as you can reasonably get, and
likely strong enough.

Given the length of root signatures, I have to agree that 2048 is it.
> There is AFAIK no public evidence of practical key recovery attacks
> on RSA-1024, when properly seeded.  Practical attacks on 2048-bit
> RSA seem rather unlikely at present.
That's the problem with cryptography. Nobody is going to tell you that 
they have broken you codes, you only find out when something unexpected 
or unpleasant happens.

Take care.

John Allen
Support bacteria. There are the only culture some people have.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the dane-users mailing list