Forum Discussion
CirrocumulusDNSSEC - Zone Signing and Key Signing Keys
I'm looking into using DNSSEC for our Wide-Ips. I've got the signing working for our UAT records but now I'm more interested in the best practices for the Zone Signing and Key Signing Keys as well as how the rollover and expiration values work.
Here is what I know from reading:
The default for rollover is 0 and the expiration is 0 with the TTL set at 24 hours (86400 seconds). I do know that the the difference between the Expiration Period and Rollover Period must be greater than the TTL, Expiration - Rollover > TTL. The recommended Expiration Period for Zone Signing Keys are 30-90 days and Key Signing Keys are 1 year.
My questions are:
- What is the function of the rollover period in relation to the expiration period?
- What is the best practice value for the rollover period?
- What happens once the Expiration Period ends? Will I need to recreate the keys?
Any help or guidance would be appreciated!
JustCooLpOOLebump
- JustCooLpOOLe
bump again
Leonardo_SouzaHave you read this link?
I don't play with DNSSEC very often, but let me try answer the questions:
What is the function of the rollover period in relation to the expiration period?
Rollover period is when both keys are valid.
What is the best practice value for the rollover period?
The manual talks about 21 days.
What happens once the Expiration Period ends? Will I need to recreate the keys?
You should had already created a second key before that, during the rollover period, so that key should be valid.