[Pdns-users] When to do a key rollover?

Maik Zumstrull maik at zumstrull.net
Wed May 11 15:56:55 UTC 2011

On Wed, May 11, 2011 at 17:46, Niek <niek-pdns at internl.net> wrote:

> Then I wondered: How do I know when to do a rollover?

> I found:
>  The general guideline today is that when RSA is the cryptographic algorithm in
>  use the ZSK should be 1024 bits and rolled quarterly, while the KSK should be
>  2048 bits and rolled every two years.

Seems about right. I would argue for 1280 and monthly on ZSKs, and you
can consider to not roll KSKs at all, except when forced/encouraged to
by compromise/migration.

> That looks like good advice. But 'pdnssec show-zone' doesn't show you the age
> of your keys, so I need to keep time myself. That's not easy for a hosting
> company registering new domains on a daily basis.
> How about an extra field in the cryptokeys table 'generated on'

Good idea. You can just make one, pdns doesn't mind extra columns. We
have something like that.

> and making pdnssec aware of this?

Instead of bloating the pdnssec tool, I would suggest (again, we do
this) to do key management separately. A simple script in a cronjob
should do. You can use the ldns python binding for key generation. The
basic logic per zone is:

Disable any expired ZSKs
Make sure there is an active ZSK
   If we already have a fresh spare key, enable it
   Otherwise, create a fresh and immediately active key
If the active ZSK will expire soon, create a spare key

More information about the Pdns-users mailing list