Re: signature expiration
If nothing changes, only the SOA serial will be incremented on resign. The signatures don't 'have' to be renewed every 30 days, you can resign as often as you want / need. regards ~Carlos On 4/11/13 9:14 AM, hugo hugoo wrote: > Hello, > > Can anyone tell me why signatures in dnssec mut be renewed every 30 days? > What are the modifications made on a zone with a resign? > > Thanks in advance for the clarifications. > > Hugo, > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
Alan Clegg wrote: > > I use dynamic zones and never concern myself with expired signatures. > You can also use inline signing to remove this "hassle". Yes! > Better solution: Sign them more often. Why not sign them twice a day? > I personally don't think that extending the signature validity period is > a good idea. I agree with the principle. There is a caveat though (Alan knows this but it should probably be made explicit): If you reduce sig-validity-interval you need to understand how it interacts with zone expiry on slave servers. The SOA expiry time should be less than the second sig-validity-interval parameter. The first sig-validity-interval parameter is the total signature lifetime (30 days by default); the second parameter is the time allowed between signature replacement and expiry (7.5 days by default). So by default signatures are replaced after 22.5 days. If there is an outage, you want your slave servers to expire the zone before the signatures become stale. You don't want your secondaries serving bogus data. So the default sig-validity-interval works nicely with a 7 day zone expiry timer. (dig +multiline soa is your friend.) Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
On Apr 11, 2013, at 8:34 AM, Noel Butler wrote: > Sign them for longer, I typically use 90 days > > On Thu, 2013-04-11 at 12:14 +, hugo hugoo wrote: >> Hello, >> >> Can anyone tell me why signatures in dnssec mut be renewed every 30 days? >> What are the modifications made on a zone with a resign? >> >> Thanks in advance for the clarifications. Better solution: Sign them more often. Why not sign them twice a day? I use dynamic zones and never concern myself with expired signatures. You can also use inline signing to remove this "hassle". I personally don't think that extending the signature validity period is a good idea. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
hugo hugoo wrote: > Can anyone tell me why signatures in dnssec mut be renewed every 30 > days? The limited lifetime of the signatures reduces your exposure to a replay attack. After the signature has expired an attacker cannot fool a victim by giving them the stale data. > What are the modifications made on a zone with a resign? The signatures are regenerated with updated expiry times. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: signature expiration
Sign them for longer, I typically use 90 days On Thu, 2013-04-11 at 12:14 +, hugo hugoo wrote: > Hello, > > Can anyone tell me why signatures in dnssec mut be renewed every 30 > days? > What are the modifications made on a zone with a resign? > > Thanks in advance for the clarifications. > > Hugo, > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
signature expiration
Hello, Can anyone tell me why signatures in dnssec mut be renewed every 30 days?What are the modifications made on a zone with a resign? Thanks in advance for the clarifications. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users