On Sat, Sep 28, 2024 at 11:13 AM Terik Erik Ashfolk <ate...@outlook.com> wrote:
> > But 1024 or 2048 bit RSA key-pairs are considered weak. > Those are considered weak for _encryption_ because of the risk of future decryption of secrets. The window for someone to brute force your keys and fake signatures with a limited lifetime is closed the second you rotate your existing keys, and rotating every year or two is plenty for that use case. What is your motivation for doing multi-signer here? The only thing I can think of is if you have an extremely high change rate on the zone, and can't afford to have the signer down for a few hours overnight if it fails. For pretty much any other use case you're fine having a single signer, with a much MUCH simpler configuration, which can be replaced in a heartbeat next-business-day if the production signer fails for some reason.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
