On 09/08/2014 02:56 PM, Roman Serbski wrote: > On Tue, Sep 2, 2014 at 2:37 PM, Yuri Schaeffer <[email protected]> wrote: >> >>> And the second question: could somebody please explain the reasons >>> for increasing ZSK lifetime from 30 to 90 days in the default >>> policy? >> >> My guess is that 90 is considered "better" than 30 for people who just >> copy the defaults. Those people do not tend to be paranoid. >> >> But maybe Jakob remembers? >> >> $ git show 627d8279 >> commit 627d82798aeb0d54e30bd63ce3a0131c4dbbb509 >> Author: Jakob Schlyter <[email protected]> >> Date: Wed Apr 18 12:47:28 2012 +0000 >> >> Change the default signature validity to 14 days (was 7 days) >> Change the default ZSK lifetime to 90 days (was 30 days) > > Thank you Yuri. > > If I modify kasp.xml and revert to the old default values (7/30), > followed by "ods-ksmutil update kasp", do I need to perform manual ZSK > rollover or it will be handled automatically? >
I was bitten by this change while adopting it in my setup, then
forgetting to manually trigger a resign, causing my public signatures
(containing the old 7 days setting) to expire because ODS thought it
wasn't required to resign until somewhere between 7 and 14 days after I
updated the config. If you don't change signature validity, I shouldn't
give issues. So:
# ods-ksmutil update all (or kasp)
# for d in $domainlist; do ods-signer sign $d; done
Regards,
Tom
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
