On Fri, Jul 21, 2017 at 1:36 PM, Tony Finch <d...@dotat.at> wrote: > Andrew Sullivan <a...@anvilwalrusden.com> wrote: >> >> For instance, people also express astonishment that DNSKEYs don't >> expire. Everyone always has to be reminded that signatures expire, and >> if you want to expire keys you take them out of the zone. > > I agree with your message. > > It might be useful to explain this DNSKEY oddity by comparison with x.509 > certificates. In particular, it's the cert that expires, not the key, and > when you renew a cert you can re-use the same key.
Yeah, you *can* reuse the same key, but (I suspect) most don't -- from what I've seen, then general process is: 1: Erk! My cert is about to / has just expired!!! 2: Search for and follow some online recipe related to "make ssl certificate" 3: ???? 4: Go back to sleep. I think that (but would be happy to be proven wrong) that most certificate renewals[0] involve a change of keys too. W [0]: Well, "legacy certs", excluding sexy new things like LE / ACME, etc. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8 > veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or > rough. Rain or showers. Good, occasionally poor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
