Okay, so this is a key that's arguably more important than your KSK, because it's used to protect authentication information and, depending on how you do business, financial information belonging to your customers. If it's safe to roll this key every two years, it's safe to roll your KSK no more often, and I would argue that the same is true for your zone key.
There are a few differences here. For one, your private ZSK could live on the nameserver and automatically resign your zone, while you keep your KSK is secure offline storage. Though some people will want to keep the ZSK offline as well. Second, changing the KSK requires talking to the upstream to get the DS record published at the parent. This takes more work and is currently not automated. You don't want to do this every month.
As said before the tools out there do not have the automation required to make it easy for an operator to deploy DNSSEC widely.
I have to disagree with that of course, as my company has made such a tool :)
I will point out though that the financial incentive to secure a zone varies according to what is done with that zone. My home domain, fugue.com, really doesn't need to be signed, because I only ever use it for things where I have adequate application-layer security, and nobody's going to punch their credit card info into a faked fugue.com domain. I signed it today anyway just to make a point.
How much do you place trust in your home domain with your laptop? I'd say especially your own personal domains would need to be secure. Whether I get a fake CNN.com page is much less important to me then whether my nfs or mail server can be access by something. Also, I put valuable data, such as SSHFP and IPSECKEY records in my 'personal' domains, and those I clearly want to be protected. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
