DNSSEC key renew time policy
marc.lampo at eurid.eu
Wed Dec 28 13:30:28 UTC 2011
To be more precise :
1) DNSSEC key's do not expire ! (Signatures - generated with key's - do
--> this message does not mean you have to *renew* DNSSEC key;
you have to regenerate signatures.
2) ISC tools generate signatures that are by default valid for one month
(after generation time - make sure calculating server is time sync'd)
3) I suppose, though, you are using (or : trying to use) Bind's "smart
In which case you are, unfortunately, not the first to notice
may not be regenerated in time :-(
Already several incidents - with even tld's sending expired signatures
happened in this area.
--> either don't use smart signing (and have some cronjob recalculate
- in addition to recalculation after a change in the unsigned zone
Or "thaw" and "unthaw" zone files - it has been experienced this
"smart signing" into recalculating (but double check !)
4) Although DNSSEC key's do not expire, do change them regularly :
2-3 months for ZSK's,
1-2 years for KSK's.
EURid - for the .eu top-level-domain
From: Eduardo Bonsi [mailto:beartcom at pacbell.net]
Sent: 27 December 2011 10:16 PM
To: bind-users at isc.org
Subject: DNSSEC key renew time policy
The DLV registry has detected problems with one or more of your zones.
Below is a summary of the errors detected. For full details, please
log into the DLV registry.
Zones for username: myusername
You will only get this message if any of your zones have problems.
I just received this message and I am wondering how much time should I
put in the automatic renew for my DNSSEC key. Right now I have it set to
21 days but that is not working as it has expired before time.
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com
More information about the bind-users