DNSSEC: Configuring auto-signed dynamic zone HOWTO

Alan Clegg aclegg at isc.org
Tue Feb 23 21:02:27 UTC 2010


Nicholas Wheeler wrote:
> On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: 
>> (Well, for now the plan is to do it once a year by hand. Then, we'll see...)
> 
> For the record, NIST recommends to roll the ZSK every three months, and
> the KSK every two years.

And there are lots of other opinions on this timing as well.

Rolling ZSK using BIND 9.7 is amazingly easy - I'm planning on writing a
short paper on this as time permits.

Rolling KSK is a bit more difficult as there aren't a lot of registrars
that have the ability to accept DS records at this point anyway, and I
don't see them implementing RFC-5011 personally...

It's coming, it's just not here quite yet.

AlanC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100223/f6af4699/attachment.bin>


More information about the bind-users mailing list