8134d46cdb
The key lifetime should not be shorter than the time it costs to introduce the successor key, otherwise keys will be created faster than they are removed, resulting in a large key set. The time it takes to replace a key is determined by the publication interval (Ipub) of the successor key and the retire interval of the predecessor key (Iret). For the ZSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of Dsgn, the maximum zone TTL and zone propagation delay (and retire safety). The sign delay is the signature validity period minus the refresh interval: The time to ensure that all existing RRsets have been re-signed with the new key. The ZSK lifetime should be larger than both values. For the KSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of the DS TTL and parent zone propagation delay (and retire safety). The KSK lifetime should be larger than both values.
92 lines
2.0 KiB
Plaintext
92 lines
2.0 KiB
Plaintext
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
dnssec-policy "bad-lifetime-ksk" {
|
|
/*
|
|
* The KSK lifetime is too short.
|
|
* The ZSK lifetime is good enough but should trigger a warning.
|
|
*/
|
|
keys {
|
|
ksk lifetime PT3H algorithm 13;
|
|
zsk lifetime P8DT2H1S algorithm 13;
|
|
};
|
|
|
|
dnskey-ttl PT1H;
|
|
publish-safety PT1H;
|
|
retire-safety PT1H;
|
|
zone-propagation-delay PT1H;
|
|
max-zone-ttl P1D;
|
|
signatures-validity P10D;
|
|
signatures-refresh P3D;
|
|
parent-ds-ttl PT1H;
|
|
parent-propagation-delay PT5M;
|
|
};
|
|
|
|
dnssec-policy "bad-lifetime-zsk" {
|
|
/*
|
|
* The ZSK lifetime is too short.
|
|
* The KSK lifetime is good enough but should trigger a warning.
|
|
*/
|
|
keys {
|
|
ksk lifetime PT3H1S algorithm 13;
|
|
zsk lifetime P8DT2H algorithm 13;
|
|
};
|
|
|
|
dnskey-ttl PT1H;
|
|
publish-safety PT1H;
|
|
retire-safety PT1H;
|
|
zone-propagation-delay PT1H;
|
|
max-zone-ttl P1D;
|
|
signatures-validity P10D;
|
|
signatures-refresh P3D;
|
|
parent-ds-ttl PT1H;
|
|
parent-propagation-delay PT5M;
|
|
};
|
|
|
|
dnssec-policy "bad-lifetime-csk" {
|
|
/*
|
|
* The CSK lifetime is too short.
|
|
*/
|
|
keys {
|
|
csk lifetime PT3H algorithm 13;
|
|
};
|
|
|
|
dnskey-ttl PT1H;
|
|
publish-safety PT1H;
|
|
retire-safety PT1H;
|
|
zone-propagation-delay PT1H;
|
|
max-zone-ttl P1D;
|
|
signatures-validity P10D;
|
|
signatures-refresh P3D;
|
|
parent-ds-ttl PT1H;
|
|
parent-propagation-delay PT5M;
|
|
};
|
|
|
|
zone "bad-lifetime-ksk.example.net" {
|
|
type primary;
|
|
file "bad-lifetime-ksk.example.db";
|
|
dnssec-policy "bad-lifetime-ksk";
|
|
};
|
|
|
|
zone "bad-lifetime-zsk.example.net" {
|
|
type primary;
|
|
file "bad-lifetime-zsk.example.db";
|
|
dnssec-policy "bad-lifetime-zsk";
|
|
};
|
|
|
|
zone "bad-lifetime-csk.example.net" {
|
|
type primary;
|
|
file "bad-lifetime-csk.example.db";
|
|
dnssec-policy "bad-lifetime-csk";
|
|
};
|