[Pdns-users] When to do a key rollover?

Niek niek-pdns at internl.net
Wed May 11 15:46:28 UTC 2011


I guess this is a feature request.

I was doing a (ZSK) key rollover, just to see if it worked. It did.
(I used: http://doc.powerdns.com/dnssec-operational-doctrine.html for guidance)

Then I wondered: How do I know when to do a rollover?


I found:

 The general guideline today is that when RSA is the cryptographic algorithm in
 use the ZSK should be 1024 bits and rolled quarterly, while the KSK should be
 2048 bits and rolled every two years.

That looks like good advice. But 'pdnssec show-zone' doesn't show you the age
of your keys, so I need to keep time myself. That's not easy for a hosting
company registering new domains on a daily basis.

How about an extra field in the cryptokeys table 'generated on' and making
pdnssec aware of this?

-- Niek

More information about the Pdns-users mailing list