search for: dnsskey

Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. The first part of the problem is fairly

...> keys, restart named and then update Godaddy with new digests. DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure. The keys are in DNSSKEY records that are signed by your Key Signing Key and must be resigning before the signature expires or they will no longer validate. Likewise, the other records in the zone must be resigned by your Zone Signing Key before their signatures expire. > > The first part of the problem is fair...

On 2/12/19 10:55 PM, Alice Wonder wrote: > DNSSEC keys do not expire. Signatures do expire. How long a signature > is good for depends upon the software generating the signature, some > lets you specify. ldns I believe defaults to 60 days but I am not sure. > > The keys are in DNSSKEY records that are signed by your Key Signing > Key and must be resigning before the signature expires or they will no > longer validate. > > Likewise, the other records in the zone must be resigned by your Zone > Signing Key before their signatures expire. > <snip> > It...

...5 PM, Alice Wonder wrote: >> DNSSEC keys do not expire. Signatures do expire. How long a signature >> is good for depends upon the software generating the signature, some >> lets you specify. ldns I believe defaults to 60 days but I am not sure. >> >> The keys are in DNSSKEY records that are signed by your Key Signing >> Key and must be resigning before the signature expires or they will no >> longer validate. >> >> Likewise, the other records in the zone must be resigned by your Zone >> Signing Key before their signatures expire. >&...