dnssec config sanity check

michoski michoski at cisco.com
Wed Oct 5 17:25:12 UTC 2011

On 10/4/11 3:49 PM, "Paul B. Henson" <henson at acm.org> wrote:
> dnssec is fairly complicated, and the issue of timing can be complex,
> but once the variables are determined than the actual procedures of
> implementation are pretty simple. Generate keys with appropriate
> publication, activation, inactivation, and deletion timings, and then
> use them ;). My hope from my initial posting was to get a little peer
> review of the appropriateness of the timings I've selected...

Your initial hope is what I missed comments on...  I found this:


"It is recommended that the transition of a KSK from the published state to
the ready state (introduction time) lasts for 45 days (RFC 5011, Automated
Updates of DNS Security (DNSSEC) Trust Anchors). If the parent of the zone
is signed, the recommended introduction time (SPARTA) is one week. The
recommended period during which a KSK is retired before it is removed from
the zone (retirement time) is four weeks. For the ZSK, the recommended
introduction time is four days and the retirement time is two weeks."

What values are other folks using?

By nature, men are nearly alike;
by practice, they get to be wide apart.
        -- Confucius

More information about the bind-users mailing list