Alan Clegg <a...@clegg.com> wrote: > > I use dynamic zones and never concern myself with expired signatures. > You can also use inline signing to remove this "hassle".
Yes! > Better solution: Sign them more often. Why not sign them twice a day? > I personally don't think that extending the signature validity period is > a good idea. I agree with the principle. There is a caveat though (Alan knows this but it should probably be made explicit): If you reduce sig-validity-interval you need to understand how it interacts with zone expiry on slave servers. The SOA expiry time should be less than the second sig-validity-interval parameter. The first sig-validity-interval parameter is the total signature lifetime (30 days by default); the second parameter is the time allowed between signature replacement and expiry (7.5 days by default). So by default signatures are replaced after 22.5 days. If there is an outage, you want your slave servers to expire the zone before the signatures become stale. You don't want your secondaries serving bogus data. So the default sig-validity-interval works nicely with a 7 day zone expiry timer. (dig +multiline soa is your friend.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
