DNSSEC key renew time policy

Marc Lampo marc.lampo at eurid.eu
Wed Dec 28 13:30:28 UTC 2011


To be more precise :
1) DNSSEC key's do not expire !  (Signatures - generated with key's - do
   --> this message does not mean you have to *renew* DNSSEC key;
       you have to regenerate signatures.

2) ISC tools generate signatures that are by default valid for one month
(30 days)
    (after generation time - make sure calculating server is time sync'd)

3) I suppose, though, you are using (or : trying to use) Bind's "smart
    In which case you are, unfortunately, not the first to notice
    may not be regenerated in time :-(
   Already several incidents - with even tld's sending expired signatures
   happened in this area.

   --> either don't use smart signing (and have some cronjob recalculate
every week
        - in addition to recalculation after a change in the unsigned zone
       Or "thaw" and "unthaw" zone files - it has been experienced this
        "smart signing" into recalculating (but double check !)

4) Although DNSSEC key's do not expire, do change them regularly :
    2-3 months for ZSK's,
    1-2 years for KSK's.

Kind regards,

Marc Lampo
Security Officer
EURid - for the .eu top-level-domain

-----Original Message-----
From: Eduardo Bonsi [mailto:beartcom at pacbell.net] 
Sent: 27 December 2011 10:16 PM
To: bind-users at isc.org
Subject: DNSSEC key renew time policy

The DLV registry has detected problems with one or more of your zones.
Below is a summary of the errors detected.  For full details, please
log into the DLV registry.


Zones for username: myusername

Signature Expired


You will only get this message if any of your zones have problems.

I just received this message and I am wondering how much time should I 
put in the automatic renew for my DNSSEC key. Right now I have it set to 
21 days but that is not working as it has expired before time.


Eduardo Bonsi
System - Network Admin
beartcom at pacbell.net
webmaster at beart.com

More information about the bind-users mailing list