https://fedorahosted.org/freeipa/ticket/4657
Patch attached. -- Martin Basti
From ca07d7ca46aa15e5862b0706537f692d096975ae Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 14 May 2015 17:17:55 +0200 Subject: [PATCH] DNSSEC: update opendnssec kasp configuration * remove unneeded parts * increase KSK key length to 3072 Update is not required, as teplate contains just recommended values, which should by reviewed by administrators. https://fedorahosted.org/freeipa/ticket/4657 --- install/share/opendnssec_kasp.template | 77 +--------------------------------- 1 file changed, 2 insertions(+), 75 deletions(-) diff --git a/install/share/opendnssec_kasp.template b/install/share/opendnssec_kasp.template index cad9f7c5d51bcaac6866cb9db3b84d69a86e7f17..86f7a209e06a7004a4de3c51b349282b6e977174 100644 --- a/install/share/opendnssec_kasp.template +++ b/install/share/opendnssec_kasp.template @@ -1,20 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- - - NOTE: The default policy below is a TEMPLATE ONLY and should be reviewed - before used in any production environment. The administrator should - consult the OpenDNSSEC documentation before changing any parameters. - - If you can read this message, it is likely that this file has not - been reviewed nor updated. - - --> - <KASP> <Policy name="default"> - <Description>A default policy that will amaze you and your friends</Description> + <Description>IPA default policy</Description> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> @@ -49,7 +38,7 @@ <!-- Parameters for KSK only --> <KSK> - <Algorithm length="2048">8</Algorithm> + <Algorithm length="3072">8</Algorithm> <Lifetime>P1Y</Lifetime> <Repository>SoftHSM</Repository> </KSK> @@ -85,66 +74,4 @@ </Policy> - <Policy name="lab"> - <Description>Quick turnaround policy for lab work</Description> - <Signatures> - <Resign>PT10M</Resign> - <Refresh>PT30M</Refresh> - <Validity> - <Default>PT1H</Default> - <Denial>PT1H</Denial> - </Validity> - <Jitter>PT1M</Jitter> - <InceptionOffset>PT3600S</InceptionOffset> - </Signatures> - - <Denial> - <NSEC/> - </Denial> - - <Keys> - <!-- Parameters for both KSK and ZSK --> - <TTL>PT300S</TTL> - <RetireSafety>PT360S</RetireSafety> - <PublishSafety>PT360S</PublishSafety> - <!-- <ShareKeys/> --> - <Purge>P14D</Purge> - - <!-- Parameters for KSK only --> - <KSK> - <Algorithm length="2048">8</Algorithm> - <Lifetime>P1Y</Lifetime> - <Repository>SoftHSM</Repository> - </KSK> - - <!-- Parameters for ZSK only --> - <ZSK> - <Algorithm length="2048">8</Algorithm> - <Lifetime>PT4H</Lifetime> - <Repository>SoftHSM</Repository> - <!-- <ManualRollover/> --> - </ZSK> - </Keys> - - <Zone> - <PropagationDelay>PT300S</PropagationDelay> - <SOA> - <TTL>PT300S</TTL> - <Minimum>PT300S</Minimum> - <Serial>unixtime</Serial> - </SOA> - </Zone> - - <Parent> - <PropagationDelay>PT9999S</PropagationDelay> - <DS> - <TTL>PT3600S</TTL> - </DS> - <SOA> - <TTL>PT172800S</TTL> - <Minimum>PT10800S</Minimum> - </SOA> - </Parent> - - </Policy> </KASP> -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code