On 1/27/2015 5:42 PM, Viktor Dukhovni wrote:
On Tue, Jan 27, 2015 at 05:30:26PM -0500, John wrote:
However, if I look a little closer I see that my RRSIG has a life of about 30 days. I don't remember specifying any times when I signed my zones, plus I am now using inline signing. That's what I'm talking about. The 30 day lifetime is likely a default if you don't override it. It is likely best to leave it that way, unless you have stricter security requirements and the operational capability to work within a more narrow expiration window.
Darn you Mr Dukhovni, there I was drifting along in blissful ignorance, now you have made think ;) Now I have to investigate sig-validity-interval, ha well.
With inline signing, how much extra work do you think will/would be involved.