DNSSEC intervals

Carsten Strotmann carsten at strotmann.de
Mon Jan 19 13:21:21 CET 2015

Hello John,

John wrote:
> I have been tying to find out if there are any recommendations about the
> various intervals in a keys life, e.g. how long between publication and
> activation? Ditto for activation to inactivation? Ditto for inactivation
> to deletion?

have a look at "DNSSEC Key Rollover Timing Considerations" (an IETF
draft document that might be promoted to an RFC later) -->

Also, read RFC 6781

> I Googled it, but the info out there is not very helpful;
> Microsoft; 7 - 7300 days (recommends 755 days) for KSK and 7 to 1875
> days (recommends 90 days) for ZSK.
> ENISA   365-1460 days (recommends 1 yr) KSK, 1 yr for ZSK
> NIST 1 - 2 yrs for KSK, 1 - 3 m for ZSK.
> Plus a lot of other recommendations ranging from 1 to 5yrs for KSK and
> from 14 days to 2 yrs for ZSK.

there are no technical reasons to roll the DNSSEC keys, but (security-)
policy reasons. The policy will be different between sites and

> I am currently think along the lines of 90 days from Creation to
> Deletion with active life of 30 days for ZSKs. 420 days from Creation to
> Deletion  with an active life of 360 days for KSKs.
> Are these reasonable?

Some of the times depend on the propagation times between the master DNS
server and the slaves (zone-transfer), the rollover-type
(pre-publication or double-signing) and the time-to-live (TTL) of the
records in the DNS zone.

Without knowing these values, I cannot say if the times are reasonable.
They *look* reasonable.

Usually one starts with the life-times of the KSK and ZSK, and
calculates all the other time-values from there (prepublication,
activation, deactivation, deletion). It is good practice to also
calculate some buffer times.

> Plus, what are the "names" for the various intervals, there does not
> seem to be a consistent naming convention, the various points in the
> timeline seem to have fairly standard names but not intervals.
> What is the period from creation to publication called? ditto
> publication to activation, activation to inactivation, inactivation to
> deletion?

the standard "names" are in RFC 6781

Best regards


More information about the dane-users mailing list