Hi there,
I was trying to set up DNSSEC for one of my domains at Porkbun and their site requires the value “MaxSigLife” to be set. As I could not find any instructions on deSEC for this, what is a sensible value to use here?
Thanks 
You probably need to ask Porkbun about the meaning of this field.
I have never heard of any similar value for DNSSEC, unless this is for regenerating/rotating DNSKEYs or RRSIGs. However if you have delegated the domain to deSEC then Porkbun has nothing to do with this. At deSEC the DNSKEYs (CSKs) don’t change and the RRSIGs are generated internally.
And no similar value is required to set the DS records in the parent domain. So I have no idea why Porkbun would want this value.
1 Like
“Maximum Signature Lifetime” is described here:
OK, it kind of was a Layer8 problem. I’m new to DNSSEC so I thought you had to enter the key either in DS or DNSKEY format. I only added the key in DNSKEY format for my other provider which worked.
However at Porkbun, you have to enter both formats and the “MaxSigLife” was not the issue here.
The error message simply said “We could not add the DNSSEC record” but not why and I assumed it was the missing value for MaxSigLife.
Ok, thanks!
But that would pertain to the RRSIG for the DS record which is set on the parent domain. That would be handled by the DNS server of the domain registry and clients should not be able to influence this value. So it still does not answer the question of what Porkbun uses this value for?
It probably depends on the registry. Some want the DNSKEY, others the DS data. Since the DS data is derived from the key (it is a hash value of the key) it does not make much of a difference functionally. If the registry wants the key then you loose control over which hash algorithms you want to use. But in practice that does not matter much.