[Pdns-users] When to do a key rollover?
Maik Zumstrull
maik at zumstrull.net
Wed May 11 15:56:55 UTC 2011
On Wed, May 11, 2011 at 17:46, Niek <niek-pdns at internl.net> wrote:
> Then I wondered: How do I know when to do a rollover?
> I found:
>
> The general guideline today is that when RSA is the cryptographic algorithm in
> use the ZSK should be 1024 bits and rolled quarterly, while the KSK should be
> 2048 bits and rolled every two years.
Seems about right. I would argue for 1280 and monthly on ZSKs, and you
can consider to not roll KSKs at all, except when forced/encouraged to
by compromise/migration.
> That looks like good advice. But 'pdnssec show-zone' doesn't show you the age
> of your keys, so I need to keep time myself. That's not easy for a hosting
> company registering new domains on a daily basis.
>
> How about an extra field in the cryptokeys table 'generated on'
Good idea. You can just make one, pdns doesn't mind extra columns. We
have something like that.
> and making pdnssec aware of this?
Instead of bloating the pdnssec tool, I would suggest (again, we do
this) to do key management separately. A simple script in a cronjob
should do. You can use the ldns python binding for key generation. The
basic logic per zone is:
Disable any expired ZSKs
Make sure there is an active ZSK
If we already have a fresh spare key, enable it
Otherwise, create a fresh and immediately active key
If the active ZSK will expire soon, create a spare key
More information about the Pdns-users
mailing list