Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND
Matthew Pounsett
matt at conundrum.com
Mon Sep 30 19:11:04 UTC 2024
On Sat, Sep 28, 2024 at 11:13 AM Terik Erik Ashfolk <aterik at outlook.com>
wrote:
>
> But 1024 or 2048 bit RSA key-pairs are considered weak.
>
Those are considered weak for _encryption_ because of the risk of future
decryption of secrets. The window for someone to brute force your keys and
fake signatures with a limited lifetime is closed the second you rotate
your existing keys, and rotating every year or two is plenty for that use
case.
What is your motivation for doing multi-signer here? The only thing I can
think of is if you have an extremely high change rate on the zone, and
can't afford to have the signer down for a few hours overnight if it
fails. For pretty much any other use case you're fine having a single
signer, with a much MUCH simpler configuration, which can be replaced in a
heartbeat next-business-day if the production signer fails for some reason.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240930/3a440bf1/attachment.htm>
More information about the bind-users
mailing list