On Mon, Feb 08, 2021 at 01:45:06AM -0500, Viktor Dukhovni wrote:
> The inception was 124 days in the past, so this is a 6 month RRSIG
> validity, which I think is long enough to increase the odds of
> complacency. If the RRSIG lifetime were only 30 days or less,
> this would more likely have been subject to well-oiled automation.
Well, 4 months actually, but still too long IMHO...
> I do not recommend either X.509 certificate or RRSIG lifetimes quite
> this long. Shorter lifetimes IMHO promote better discipline.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
