is this "normal" if not what to do about it?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jan 27 23:42:48 CET 2015
On Tue, Jan 27, 2015 at 05:30:26PM -0500, John wrote:
> >NO. I'm recommeding signature lifetimes of ~7 days for sites with
> >the operational capacity to keep everything current on a tight
> >schedule. This way, signatures of stale records expire quickly.
>
> I am still not quite sure what you mean. I have a sneaky feeling that we are
> talking about two different things.
> My DNSKEYs have a life of about 60 days. which is what I thought you were
> taking about.
I am NOT talking about key lifetimes. I am talking about signature
lifetimes.
> However, if I look a little closer I see that my RRSIG has a life of about
> 30 days. I don't remember specifying any times when I signed my zones, plus
> I am now using inline signing.
That's what I'm talking about. The 30 day lifetime is likely a
default if you don't override it. It is likely best to leave it
that way, unless you have stricter security requirements and the
operational capability to work within a more narrow expiration
window.
Likewise, keep the crypto settings mainstream. Having keys "more
secure" than the root and/or your parent domain's makes no sense.
There are no security proofs for fundamental crypto primitives
other than the ever impractical one-time pad. Everything else is
at best a reasonable trade-off. At this point in time RSA 2048 is
a reasonable trade-off. Stronger RSA keys for DNSSEC are not
reasonable, and ECC is for now not sufficiently interoperable and
the best curve choices are about to change.
So I think it is fair to say that at present best practice is to
use a 2048-bit algorithm 8 KSK, and either a 2048-bit or even a
1024-bit (rotated periodically to suit your taste) algoritm 8 ZSK.
Anything more exotic is likely counter-productive.
--
Viktor.
More information about the dane-users
mailing list