signature expiration

[Tony Finch]

hugo hugoo <hugobxl at hotmail.com> wrote:

> Can anyone tell me why signatures in dnssec mut be renewed every 30
> days?

The limited lifetime of the signatures reduces your exposure to a replay
attack. After the signature has expired an attacker cannot fool a victim
by giving them the stale data.

> What are the modifications made on a zone with a resign?

The signatures are regenerated with updated expiry times.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.