DNSSEC: Configuring auto-signed dynamic zone HOWTO

Kevin Oberman oberman at es.net
Tue Feb 23 21:58:43 UTC 2010


> Date: Tue, 23 Feb 2010 16:02:27 -0500
> From: Alan Clegg <aclegg at isc.org>
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> Nicholas Wheeler wrote:
> > On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: 
> >> (Well, for now the plan is to do it once a year by hand. Then, we'll see...)
> > 
> > For the record, NIST recommends to roll the ZSK every three months, and
> > the KSK every two years.

My copy of SP800-81r1 says ZSK 1 month and KSK 1-2 years. It also
recommends a 2048 bit key for both KSK and ZSK. It was still draft when
I printed it out, but I suspect that the final draft will match these
recommendations.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751



More information about the bind-users mailing list