Hi Ondrej. THANKS.
done what you have suggested, changed to opPolicy6M with ksk
changing every 6M, & zsk every 21 days.
But 1024 or 2048 bit RSA key-pairs are considered weak.
And we should assume online connected devices+software have unknown
bugs+ways, where key-pairs integrity is compromised, when malicious
attempts succeeded with weak-point / weak-moment.
And we should also assume there are unknown external items for data.
So it is always better to change/replace key-pairs within shorter
period,
when the server is (always) online (in my case, for HA), (and
not-kept hidden/offline).
My project require DNSSEC validated connections+links for user's
homepage and devices, etc.
Some components are open-source, & some are partially closed &
available over API.
I could not continuously work on this project.
( i can DM you more specifics , but not in mailing-list ).
Achieving HA (High-Availability), (with low-cost stuff/components),
is essential objective,
which i have mentioned in 1st post in beginning.
Out of three/3 servers/sets (with BIND name-servers, Apache2/NginX
web-servers, PostGreSQL, etc, etc),
even if two/2 servers are completely burned/failed/down,
remaining 1 server must be 100% working (providing all type of web
services to world+local users+visitors),
& remaining 1 need to be sufficient to re-create failed server(s).
For this, HA solution/steps are MUST+needed, & shared-storage is
required as 1st item for HA.
I agree, i & users need simple components, easily provisioned +
replaceable, and easy to operate+run.
For low-cost & HA solution, users (MUST) be able to follow atleast
Howto setup guides, & able to copy-paste, & able to change hostname
& IP-address in guide to adjust with their real server's/device's
real hostname/IP-address.
User does not need to know/have IETF RFC level of knowledge &
conventions & resources, etc, etc.
Once guided setup is done by user, then automation scripts are
doing the missing steps/functions in BIND, Apache2, PostGreSQL, etc.
I'm trying to remove item/solution that is/has single/one aka
single point-of-failure (POF) (SPOF).
Everything needs to be atleast double, for HA.
Thanks in advance.
Erik.
Erik T Ashfolk.
On 9/27/24 8:19 PM, Ondřej Surý wrote:
On 28. 9. 2024, at 1:31, Terik Erik Ashfolk <ate...@outlook.com> wrote:
and during consideration i was using a dnssec-policy opPolicy2W with KSK changing
every 20 days, & ZSK every 10 days.
Now I changed to another dnssec-policy opPolicy3M : KSK changing every ~ 3 months
& ZSK every 22 days.
Just don’t do this. It makes absolutely no sense to change keys so often. This
is not x509. You should know how to change the KSK, so practicing it (or
automating it) makes sense every so often (like couple of years). But there’s
absolutely no reason to change the cryptographic material so often. You don’t
change your ssh keys every 20 days, do you?
You talk about “increasing costs” by adding one more server. This is a fallacy
- everything you described so far increases costs because of the total
complexity of your setup.
You want to run simple components that can be easily provisioned and replaced
and doesn’t need to PhD degrees to operate and run. Any added complexity has to
be justified and whatever is the zone(s) you are running (you haven’t shared
any details), it would never be justified to have a complex setup like this.
Complex means fragile, not resilient.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
