Local DNSSEC parameters
The following local policies were derived from the DNSSEC timing considerations in rfc4641.
- Zone signing keys are RSASHA256 at 2048 bits. Key signing keys
are RSASHA256 at 4096 bits.
- The signature validity period is 90 days.
- The signature publication period is 75 days. The zone
resigning is driven by an hourly cron script.
- The SOA expire timer shall be no larger than 864000 seconds.
Therefore, if the slave server had a successful zone transfer just
before the end of the signature publication period, the zone would
expire in 10 days, well before the end of the signature validity
period in 25 days.
- The TTL value for RRSets shall be no larger than 864000
seconds. Therefore, if a remote dns cache has received a RRSet and its
associated RRSIG records, that cache will expire the records before
the end of the signature validity period.
- We use the Double Signature Zone Signing Key Rollover
procedure from section 4.2.1.2, modified such that we always have two
zone signing keys. Essentially, we are always in the middle of a zsk
rollover event. Every 150 days, we generate a new zsk, and the zones
are always signed with two zone signing keys.
- We use the Double Signature Key Signing Key Rollover
procedure, modified such that we always have two key signing
keys. Essentially, we are always in the middle of a ksk rollover
event. Every 300 days, we generate a new ksk, and the zone signing
keys are always signed with two key signing keys.
Other general issues:
- Signed zones are checked at least daily for validity using an
external dnssec capable resolver.
- The local dns resolver is dnssec enabled, and does dnssec validation for local clients.