On Tue, Sep 2, 2014 at 2:37 PM, Yuri Schaeffer <[email protected]> wrote: > >> And the second question: could somebody please explain the reasons >> for increasing ZSK lifetime from 30 to 90 days in the default >> policy? > > My guess is that 90 is considered "better" than 30 for people who just > copy the defaults. Those people do not tend to be paranoid. > > But maybe Jakob remembers? > > $ git show 627d8279 > commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509 > Author: Jakob Schlyter <[email protected]> > Date: Wed Apr 18 12:47:28 2012 +0000 > > Change the default signature validity to 14 days (was 7 days) > Change the default ZSK lifetime to 90 days (was 30 days)
Thank you Yuri. If I modify kasp.xml and revert to the old default values (7/30), followed by "ods-ksmutil update kasp", do I need to perform manual ZSK rollover or it will be handled automatically? Thanks. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
