On 14.5.2015 17:23, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/4657

Looking at 3072 bit key size, I think we can prolong KSK key rotation period
to 2 years.

It should be okay according to http://dx.doi.org/10.6028/NIST.SP.800-81-2
section 11.2.

Modified patch is attached.

Thank you for reviewing it :-)

-- 
Petr^2 Spacek
From 72a859796a05f90728b783c9c45e739b8081d51f Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 14 May 2015 17:17:55 +0200
Subject: [PATCH] DNSSEC: update OpenDNSSEC KASP configuration

* remove unneeded parts
* increase KSK key length to 3072
* increase KSK key lifetime to 2 years (see NIST SP 800-81-2 section 11.2)

Update is not required, as template contains just recommended values
which should by reviewed by administrators.

https://fedorahosted.org/freeipa/ticket/4657
---
 install/share/opendnssec_kasp.template | 79 ++--------------------------------
 1 file changed, 3 insertions(+), 76 deletions(-)

diff --git a/install/share/opendnssec_kasp.template b/install/share/opendnssec_kasp.template
index cad9f7c5d51bcaac6866cb9db3b84d69a86e7f17..803b945a04977dde26b46faa9169a10389023062 100644
--- a/install/share/opendnssec_kasp.template
+++ b/install/share/opendnssec_kasp.template
@@ -1,20 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<!--
-
-  NOTE:  The default policy below is a TEMPLATE ONLY and should be reviewed
-         before used in any production environment. The administrator should
-         consult the OpenDNSSEC documentation before changing any parameters.
-
-         If you can read this message, it is likely that this file has not
-         been reviewed nor updated.
-
-  -->
-
 <KASP>
 
 	<Policy name="default">
-		<Description>A default policy that will amaze you and your friends</Description>
+		<Description>IPA default policy</Description>
 		<Signatures>
 			<Resign>PT2H</Resign>
 			<Refresh>P3D</Refresh>
@@ -49,8 +38,8 @@
 
 			<!-- Parameters for KSK only -->
 			<KSK>
-				<Algorithm length="2048">8</Algorithm>
-				<Lifetime>P1Y</Lifetime>
+				<Algorithm length="3072">8</Algorithm>
+				<Lifetime>P2Y</Lifetime>
 				<Repository>SoftHSM</Repository>
 			</KSK>
 
@@ -85,66 +74,4 @@
 
 	</Policy>
 
-	<Policy name="lab">
-		<Description>Quick turnaround policy for lab work</Description>
-		<Signatures>
-			<Resign>PT10M</Resign>
-			<Refresh>PT30M</Refresh>
-			<Validity>
-				<Default>PT1H</Default>
-				<Denial>PT1H</Denial>
-			</Validity>
-			<Jitter>PT1M</Jitter>
-			<InceptionOffset>PT3600S</InceptionOffset>
-		</Signatures>
-
-		<Denial>
-			<NSEC/>
-		</Denial>
-
-		<Keys>
-			<!-- Parameters for both KSK and ZSK -->
-			<TTL>PT300S</TTL>
-			<RetireSafety>PT360S</RetireSafety>
-			<PublishSafety>PT360S</PublishSafety>
-			<!-- <ShareKeys/> -->
-			<Purge>P14D</Purge>
-
-			<!-- Parameters for KSK only -->
-			<KSK>
-				<Algorithm length="2048">8</Algorithm>
-				<Lifetime>P1Y</Lifetime>
-				<Repository>SoftHSM</Repository>
-			</KSK>
-
-			<!-- Parameters for ZSK only -->
-			<ZSK>
-				<Algorithm length="2048">8</Algorithm>
-				<Lifetime>PT4H</Lifetime>
-				<Repository>SoftHSM</Repository>
-				<!-- <ManualRollover/> -->
-			</ZSK>
-		</Keys>
-
-		<Zone>
-			<PropagationDelay>PT300S</PropagationDelay>
-			<SOA>
-				<TTL>PT300S</TTL>
-				<Minimum>PT300S</Minimum>
-				<Serial>unixtime</Serial>
-			</SOA>
-		</Zone>
-
-		<Parent>
-			<PropagationDelay>PT9999S</PropagationDelay>
-			<DS>
-				<TTL>PT3600S</TTL>
-			</DS>
-			<SOA>
-				<TTL>PT172800S</TTL>
-				<Minimum>PT10800S</Minimum>
-			</SOA>
-		</Parent>
-
-	</Policy>
 </KASP>
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to