Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DNSSEC key renew time policy
44 views
Skip to first unread message
Eduardo Bonsi
Dec 27, 2011, 4:16:15 PM12/27/11
to bind-...@isc.org
The DLV registry has detected problems with one or more of your zones.
Below is a summary of the errors detected. For full details, please
log into the DLV registry.
https://dlv.isc.org/
Zones for username: myusername
Signature Expired
domain.org
You will only get this message if any of your zones have problems.
I just received this message and I am wondering how much time should I
put in the automatic renew for my DNSSEC key. Right now I have it set to
21 days but that is not working as it has expired before time.
Thanks!
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
bear...@pacbell.net
webm...@beart.com
Below is a summary of the errors detected. For full details, please
log into the DLV registry.
https://dlv.isc.org/
Zones for username: myusername
Signature Expired
domain.org
You will only get this message if any of your zones have problems.
I just received this message and I am wondering how much time should I
put in the automatic renew for my DNSSEC key. Right now I have it set to
21 days but that is not working as it has expired before time.
Thanks!
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
bear...@pacbell.net
webm...@beart.com
Marc Lampo
Dec 28, 2011, 8:30:28 AM12/28/11
to bear...@pacbell.net, bind-...@isc.org
Hello,
To be more precise :
1) DNSSEC key's do not expire ! (Signatures - generated with key's - do
!)
--> this message does not mean you have to *renew* DNSSEC key;
you have to regenerate signatures.
2) ISC tools generate signatures that are by default valid for one month
(30 days)
(after generation time - make sure calculating server is time sync'd)
3) I suppose, though, you are using (or : trying to use) Bind's "smart
signing".
In which case you are, unfortunately, not the first to notice
signatures
may not be regenerated in time :-(
Already several incidents - with even tld's sending expired signatures
-
happened in this area.
--> either don't use smart signing (and have some cronjob recalculate
every week
- in addition to recalculation after a change in the unsigned zone
data)
Or "thaw" and "unthaw" zone files - it has been experienced this
triggers
"smart signing" into recalculating (but double check !)
4) Although DNSSEC key's do not expire, do change them regularly :
2-3 months for ZSK's,
1-2 years for KSK's.
Kind regards,
Marc Lampo
Security Officer
EURid - for the .eu top-level-domain
To be more precise :
1) DNSSEC key's do not expire ! (Signatures - generated with key's - do
!)
--> this message does not mean you have to *renew* DNSSEC key;
you have to regenerate signatures.
2) ISC tools generate signatures that are by default valid for one month
(30 days)
(after generation time - make sure calculating server is time sync'd)
3) I suppose, though, you are using (or : trying to use) Bind's "smart
signing".
In which case you are, unfortunately, not the first to notice
signatures
may not be regenerated in time :-(
Already several incidents - with even tld's sending expired signatures
-
happened in this area.
--> either don't use smart signing (and have some cronjob recalculate
every week
- in addition to recalculation after a change in the unsigned zone
data)
Or "thaw" and "unthaw" zone files - it has been experienced this
triggers
"smart signing" into recalculating (but double check !)
4) Although DNSSEC key's do not expire, do change them regularly :
2-3 months for ZSK's,
1-2 years for KSK's.
Kind regards,
Marc Lampo
Security Officer
EURid - for the .eu top-level-domain
0 new messages