signature expiration

[Tony Finch]

Alan Clegg <alan at clegg.com> wrote:
>
> I use dynamic zones and never concern myself with expired signatures.
> You can also use inline signing to remove this "hassle".

Yes!

> Better solution:  Sign them more often.  Why not sign them twice a day?
> I personally don't think that extending the signature validity period is
> a good idea.

I agree with the principle. There is a caveat though (Alan knows this but
it should probably be made explicit): If you reduce sig-validity-interval
you need to understand how it interacts with zone expiry on slave servers.
The SOA expiry time should be less than the second sig-validity-interval
parameter.

The first sig-validity-interval parameter is the total signature lifetime
(30 days by default); the second parameter is the time allowed between
signature replacement and expiry (7.5 days by default). So by default
signatures are replaced after 22.5 days.

If there is an outage, you want your slave servers to expire the zone
before the signatures become stale. You don't want your secondaries
serving bogus data. So the default sig-validity-interval works nicely with
a 7 day zone expiry timer. (dig +multiline soa is your friend.)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.