[dns-operations] Few questions regarding DNSSEC

Peter Andreev andreev.peter at gmail.com
Thu Oct 31 16:45:03 UTC 2013

1) It's up to you, if your zones are small and keys are long, you can live
without rotation longer. For example we rotate KSK every year and ZSK every
3 months with SHA256 and 10M records in zone. Also take a look at

2) Child zone doesn't need to be signed with the same key(s) as parent.

2013/10/31 staticsafe <me at staticsafe.ca>

> I have recently started signing all of my domains that I possibly can. I
> have a couple of questions.
> 1) Are there any recommendations on how often keys should be rotated? Best
> practices to perform during the rotation process?
> 2) I have a zone ircops.org delegated to my own NSes, in it there is a
> sub-zone dnsbl.ircops.org delegated to other nameservers. Does
> dnsbl.ircops.org need to be signed with the same key(s) as ircops.org?
> Thank you for your answers. References to reading materials are much
> appreciated.
> --
> staticsafe
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
> Please don't top post. It is not logical.
> Please don't CC me! I'm subscribed to whatever list I just posted on.
> ______________________________**_________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.**net <dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/**mailman/listinfo/dns-**operations<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
> dns-jobs mailing list
> https://lists.dns-oarc.net/**mailman/listinfo/dns-jobs<https://lists.dns-oarc.net/mailman/listinfo/dns-jobs>

Is there any problem Exterminatus cannot solve? I have not found one yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131031/5d48bee2/attachment.html>

More information about the dns-operations mailing list