diff options
| author | Martin Basti <mbasti@redhat.com> | 2015-05-14 17:17:55 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-05-19 12:50:56 +0000 |
| commit | 96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5 (patch) | |
| tree | 9f055b8f41ae131d721ed1a5c243f06b89fdbcda /install | |
| parent | ebd91461132d2aa7d5166d03ccfe7b0d49df2c8a (diff) | |
| download | freeipa-96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5.tar.gz freeipa-96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5.tar.xz freeipa-96f6d6ca09922f56aa63cfdebc934bd9db0d3ed5.zip | |
DNSSEC: update OpenDNSSEC KASP configuration
* remove unneeded parts
* increase KSK key length to 3072
* increase KSK key lifetime to 2 years (see NIST SP 800-81-2 section 11.2)
Update is not required, as template contains just recommended values
which should by reviewed by administrators.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/opendnssec_kasp.template | 79 |
1 files changed, 3 insertions, 76 deletions
diff --git a/install/share/opendnssec_kasp.template b/install/share/opendnssec_kasp.template index cad9f7c5d..803b945a0 100644 --- a/install/share/opendnssec_kasp.template +++ b/install/share/opendnssec_kasp.template @@ -1,20 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- - - NOTE: The default policy below is a TEMPLATE ONLY and should be reviewed - before used in any production environment. The administrator should - consult the OpenDNSSEC documentation before changing any parameters. - - If you can read this message, it is likely that this file has not - been reviewed nor updated. - - --> - <KASP> <Policy name="default"> - <Description>A default policy that will amaze you and your friends</Description> + <Description>IPA default policy</Description> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> @@ -49,8 +38,8 @@ <!-- Parameters for KSK only --> <KSK> - <Algorithm length="2048">8</Algorithm> - <Lifetime>P1Y</Lifetime> + <Algorithm length="3072">8</Algorithm> + <Lifetime>P2Y</Lifetime> <Repository>SoftHSM</Repository> </KSK> @@ -85,66 +74,4 @@ </Policy> - <Policy name="lab"> - <Description>Quick turnaround policy for lab work</Description> - <Signatures> - <Resign>PT10M</Resign> - <Refresh>PT30M</Refresh> - <Validity> - <Default>PT1H</Default> - <Denial>PT1H</Denial> - </Validity> - <Jitter>PT1M</Jitter> - <InceptionOffset>PT3600S</InceptionOffset> - </Signatures> - - <Denial> - <NSEC/> - </Denial> - - <Keys> - <!-- Parameters for both KSK and ZSK --> - <TTL>PT300S</TTL> - <RetireSafety>PT360S</RetireSafety> - <PublishSafety>PT360S</PublishSafety> - <!-- <ShareKeys/> --> - <Purge>P14D</Purge> - - <!-- Parameters for KSK only --> - <KSK> - <Algorithm length="2048">8</Algorithm> - <Lifetime>P1Y</Lifetime> - <Repository>SoftHSM</Repository> - </KSK> - - <!-- Parameters for ZSK only --> - <ZSK> - <Algorithm length="2048">8</Algorithm> - <Lifetime>PT4H</Lifetime> - <Repository>SoftHSM</Repository> - <!-- <ManualRollover/> --> - </ZSK> - </Keys> - - <Zone> - <PropagationDelay>PT300S</PropagationDelay> - <SOA> - <TTL>PT300S</TTL> - <Minimum>PT300S</Minimum> - <Serial>unixtime</Serial> - </SOA> - </Zone> - - <Parent> - <PropagationDelay>PT9999S</PropagationDelay> - <DS> - <TTL>PT3600S</TTL> - </DS> - <SOA> - <TTL>PT172800S</TTL> - <Minimum>PT10800S</Minimum> - </SOA> - </Parent> - - </Policy> </KASP> |