DNSSEC: Configuring auto-signed dynamic zone HOWTO

Paul Wouters paul at xelerance.com
Tue Feb 23 21:21:28 UTC 2010


On Tue, 23 Feb 2010, Alan Clegg wrote:

>> For the record, NIST recommends to roll the ZSK every three months, and
>> the KSK every two years.
>
> And there are lots of other opinions on this timing as well.

Note that you cannot really talk about rolling key recommendations without
mentioning the key sizes (and algorithms) involved.

I believe the above NIST recommendation is for 1024 bit RSASHA1 ZSK's
and 2048 bit RSASHA1 2048 bit keys. They might also apply to RSASHA256 keys.

Paul



More information about the bind-users mailing list