DNSSEC intervals

Christian Rößner c at roessner-network-solutions.com
Sun Jan 18 22:50:43 CET 2015

> Am 18.01.2015 um 20:32 schrieb John <john at klam.ca>:
> I have been tying to find out if there are any recommendations about the various intervals in a keys life, e.g. how long between publication and activation? Ditto for activation to inactivation? Ditto for inactivation to deletion?
> I Googled it, but the info out there is not very helpful;
> Microsoft; 7 - 7300 days (recommends 755 days) for KSK and 7 to 1875 days (recommends 90 days) for ZSK.
> ENISA   365-1460 days (recommends 1 yr) KSK, 1 yr for ZSK
> NIST 1 - 2 yrs for KSK, 1 - 3 m for ZSK.
> Plus a lot of other recommendations ranging from 1 to 5yrs for KSK and from 14 days to 2 yrs for ZSK.
> I am currently think along the lines of 90 days from Creation to Deletion with active life of 30 days for ZSKs. 420 days from Creation to Deletion  with an active life of 360 days for KSKs.
> Are these reasonable?
> Plus, what are the "names" for the various intervals, there does not seem to be a consistent naming convention, the various points in the timeline seem to have fairly standard names but not intervals.
> What is the period from creation to publication called? ditto publication to activation, activation to inactivation, inactivation to deletion?

I asked the same questions DNS specialist. His answer was that it depends :-)

I have written scripts for PowerDNS that rotate the ZSK every month (1st to 3rd of each month; three days, three steps). I think I will keep the KSKs for about 4-5 years (currently no scripts)

Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2449 bytes
Desc: not available
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150118/ad0dbd29/attachment-0001.bin>

More information about the dane-users mailing list