On Fri, Nov 09, 2018 at 11:51:56PM -0800, S Moonesamy wrote: > Please see http://dnsviz.net/d/www.irtf.org/dnssec/ My take on this on this is that is an symptom of an unfortunate operational model. Both irtf.org and ietf.org seem optimized for more DNSSEC signing key security than is operationally wise, likely with off-line signature keys and a manual process to re-resign the zones on an *annual* basis. They are DNSSEC-signed roughly once each year, with correspondingly long RRsigs. And timely re-signing seems to be a bit of a hit-or-miss afair, IIRC I saw similar problems with ietf.org a year or two back. In my experience the operational discipline to reliably perform a manual critical process just once a year is not easily attained. It would be far better to accept the risk of having the keys online on a hardened master node that automatically re-signs the zones once or twice a month, or even just continuously (as with BIND's "maintain" model). Perhaps the folks at AMSL and their ietf.org liaisons can be persuaded to adopt a more reliable operating model, along with monitoring that checks that all the key RRsigs are sufficiently far above a minimum threshold on the the remaining signature validity time and are are getting automatically re-signed. -- Viktor.
