16 Čec
2020
16 Čec
'20
12:31
Well, when the intention is just experimenting and testing Knot behavior
during roll-overs, then such settings is pretty much OK :)
For real DNSSEC deployment, there is no reason to have key lifetime
shorter than several months.
Libor
Dne 16.07.20 v 11:43 Tuomo Soini napsal(a):
On Wed, 15 Jul 2020 16:53:14 +0200
Jan-Piet Mens <list(a)mens.de> wrote:
I have the following signing policy configured in
a test environment:
ksk-lifetime: 30m
zsk-lifetime: 2h
These settings are insane. You shouldn't have that
short lifetime for
ksk. Make sure your ksk lifetime is at least multiple times longer than
zsk lifetime.