DNSSEC intervals

John john at klam.ca
Sun Jan 18 20:32:02 CET 2015

I have been tying to find out if there are any recommendations about the 
various intervals in a keys life, e.g. how long between publication and 
activation? Ditto for activation to inactivation? Ditto for inactivation 
to deletion?

I Googled it, but the info out there is not very helpful;
Microsoft; 7 - 7300 days (recommends 755 days) for KSK and 7 to 1875 
days (recommends 90 days) for ZSK.
ENISA   365-1460 days (recommends 1 yr) KSK, 1 yr for ZSK
NIST 1 - 2 yrs for KSK, 1 - 3 m for ZSK.
Plus a lot of other recommendations ranging from 1 to 5yrs for KSK and 
from 14 days to 2 yrs for ZSK.

I am currently think along the lines of 90 days from Creation to 
Deletion with active life of 30 days for ZSKs. 420 days from Creation to 
Deletion  with an active life of 360 days for KSKs.
Are these reasonable?

Plus, what are the "names" for the various intervals, there does not 
seem to be a consistent naming convention, the various points in the 
timeline seem to have fairly standard names but not intervals.
What is the period from creation to publication called? ditto 
publication to activation, activation to inactivation, inactivation to 

John Allen
You are off the edge of the map, mate. Here there be monsters!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150118/d0141907/attachment.bin>

More information about the dane-users mailing list