From 96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 14 May 2015 17:17:55 +0200 Subject: [PATCH] DNSSEC: update OpenDNSSEC KASP configuration * remove unneeded parts * increase KSK key length to 3072 * increase KSK key lifetime to 2 years (see NIST SP 800-81-2 section 11.2) Update is not required, as template contains just recommended values which should by reviewed by administrators. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek --- install/share/opendnssec_kasp.template | 79 +------------------------- 1 file changed, 3 insertions(+), 76 deletions(-) diff --git a/install/share/opendnssec_kasp.template b/install/share/opendnssec_kasp.template index cad9f7c5d..803b945a0 100644 --- a/install/share/opendnssec_kasp.template +++ b/install/share/opendnssec_kasp.template @@ -1,20 +1,9 @@ - - - A default policy that will amaze you and your friends + IPA default policy PT2H P3D @@ -49,8 +38,8 @@ - 8 - P1Y + 8 + P2Y SoftHSM @@ -85,66 +74,4 @@ - - Quick turnaround policy for lab work - - PT10M - PT30M - - PT1H - PT1H - - PT1M - PT3600S - - - - - - - - - PT300S - PT360S - PT360S - - P14D - - - - 8 - P1Y - SoftHSM - - - - - 8 - PT4H - SoftHSM - - - - - - PT300S - - PT300S - PT300S - unixtime - - - - - PT9999S - - PT3600S - - - PT172800S - PT10800S - - - -