Dear colleagues: While reviewing this document and working in the DPS for .NZ, I found little coverage about how to pick a signature validity period.
Section 3.1.2 indicates The Zone Signing Key can be used to sign all the data in a zone on a regular basis. When a Zone Signing Key is to be rolled, no interaction with the parent is needed. This allows for signature validity periods on the order of days. Placing the signature validity period in the range of days Then section 4.1.1 explores certain relations between the signature validity period and parameters of the zone (Max zone TTL, Min zone TTL, SOA expire) which are useful because they provide context and suggest minimum values, but not maximum values. Then section 4.4.4 recommends a minimum signature validity for DS records in the order of few days. The only reference I could find about an argument for a higher limit for signature validity was in a presentation from Richard Lamb about DNSSEC deployment @ IANA [1]. That presentation says "Signatures on zone records are only valid for six days to prevent replay attacks". So, my first question is: should the document include recommendations about a maximum value for the signature validity? Does the order of days mean up to 15 days? 21 days? 30? Second, based on observations from the current DNSSEC deployment and in the text itself I identified three different cases for signature validities depending on the record type: 1. Signatures for DNSKEY records 2. Signatures for DS records 3. Signatures for the rest of data in the zone In the "wild", you can observe the signature validity period for DNSKEY is, in some cases, different from the signature validity period for NSEC/NSEC3 records. You can view this clearer in the following table Zone DNSKEY Sig-validity SOA/NSEC/NSEC3 sig-validity arpa 15 days 7 days br 71 days 7 days cz ~13 days ~11 days org 14 days 14 days pr 30 days 30 days pt 30 days 30 days se ~6 days ~6 days uk 14 days 14 days us 30 days 30 days . 15 days 7 days Note: the validity is calculated as the difference between the expiration and inception of the signature covering the corresponding record. For the root zone DNSKEY's signature validity is aligned with the slot they have defined to pre-generate signatures in order to reduce the access to the KSK, I assume "arpa" have similar policy. Should the document include text to describe the convenience (or inconvenience) of having different validities depending on the record type, and also document this policy for the root zone about dividing the ZSK rollover period in predefined slots to make the pre-generation of signatures more easy? In my particular opinion, that solution is very handy to reduce the access to the KSK. Kind Regards [1] http://www.ripe.net/ripe/meetings/ripe-55/presentations/lamb-dnssec.pdf [2] https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-dps-framework/ -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
