Automatic key rollover (Was: DNSSEC: Configuring auto-signed dynamic zones HOWTO)

Eugene Crosser crosser at average.org
Wed Feb 24 07:34:15 UTC 2010


Nicholas Wheeler wrote:
> On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: 
>> (Well, for now the plan is to do it once a year by hand. Then, we'll see...)
> 
> For the record, NIST recommends to roll the ZSK every three months, and
> the KSK every two years.

Let me put it this way: by the time I become bothered with automatic key
rollover, hopefully bind 9.7 will become part of the distribution that I use.
Then I'll figure things out.

BTW, I feel wary about letting named do everything related to zone signing for
me. For one, private KSK, and probably 'top' zone ZSK, are not going to be
readable by named. And maybe even not going to live on the same host.

Eugene

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100224/8357332a/attachment.bin>


More information about the bind-users mailing list