> Reading RFC 4641bis version 11, section 4.4.2.3 mentions why it's a good > idea to have different lifetimes, but it's not very strong about it. Is > still a good idea to have a different policy? I understand that policy > decisions are local and different lifetimes can be avoided by using the > same lifetime value for both cases, but I'm trying to understand rather > than fixing.
Another example: If you are a TLD and running NSEC, then most of your signatures probably are over the NSEC. If you want to lower the changes in the zone, then you could differentiate the signature lifetimes. This feature is probably not used so much. It was part of the initial requirements of OpenDNSSEC, but it was never used by the one requesting it. When integrating two different solutions, then we have to limit ourselves to a common set of features. Thus you have to make sure to use the same lifetime values. // Rickard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
