is this "normal" if not what to do about it?

Viktor Dukhovni ietf-dane at
Tue Jan 27 23:42:48 CET 2015

On Tue, Jan 27, 2015 at 05:30:26PM -0500, John wrote:

> >NO.  I'm recommeding signature lifetimes of ~7 days for sites with
> >the operational capacity to keep everything current on a tight
> >schedule.  This way, signatures of stale records expire quickly.
> I am still not quite sure what you mean. I have a sneaky feeling that we are
> talking about two different things.
> My DNSKEYs have a life of about 60 days. which is what I thought you were
> taking about.

I am NOT talking about key lifetimes.  I am talking about signature

> However, if I look a little closer I see that my RRSIG has a life of about
> 30 days. I don't remember specifying any times when I signed my zones, plus
> I am now using inline signing.

That's what I'm talking about.  The 30 day lifetime is likely a
default if you don't override it.  It is likely best to leave it
that way, unless you have stricter security requirements and the
operational capability to work within a more narrow expiration

Likewise, keep the crypto settings mainstream.  Having keys "more
secure" than the root and/or your parent domain's makes no sense.

There are no security proofs for fundamental crypto primitives
other than the ever impractical one-time pad.  Everything else is
at best a reasonable trade-off.  At this point in time RSA 2048 is
a reasonable trade-off.  Stronger RSA keys for DNSSEC are not
reasonable, and ECC is for now not sufficiently interoperable and
the best curve choices are about to change.

So I think it is fair to say that at present best practice is to
use a 2048-bit algorithm 8 KSK, and either a 2048-bit or even a
1024-bit (rotated periodically to suit your taste) algoritm 8 ZSK.

Anything more exotic is likely counter-productive.


More information about the dane-users mailing list