Re: [dns-wg] RIPE NCC DNSSEC Key Maintenance: Preemptive Key Signing Key Rollover
-
To: bmanning@localhost
-
From: "Olaf M. Kolkman" olaf@localhost
-
Date: Fri, 15 Sep 2006 19:34:53 +0200
-
Cc: Ruben van Staveren ruben@localhost, dns-wg@localhost
On 14Sep 2006, at 7:03 PM, bmanning@localhost wrote:
as a suggestion, could you -please- put a date on the web page
that indicates when the keys were generated or expected to be valid?
I agree the inception date to be very handy. But an expected end date
has the danger that people will hard code such thing into their
scripts and that might prevent rolls just like the one we see now.
The minimal time they are to be valid would be OK. Then the script
can take that as its TTL.
I would also like to point this community to draft-ietf-dnsext-
trustupdate-timers which is very relevant in this context --in terms
of a standarized method for automatic rollovers-- and is about to be
last called.
[1] http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-trustupdate-
timers/
---Olaf
-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/
|
you are here: RIPE -> RIPE Maillists > Archives
