Hi, I guess this is a feature request.
I was doing a (ZSK) key rollover, just to see if it worked. It did. (I used: http://doc.powerdns.com/dnssec-operational-doctrine.html for guidance) Then I wondered: How do I know when to do a rollover? On: http://www.securityweek.com/five-strategies-flawless-dnssec-key-management-and-rollover I found: The general guideline today is that when RSA is the cryptographic algorithm in use the ZSK should be 1024 bits and rolled quarterly, while the KSK should be 2048 bits and rolled every two years. That looks like good advice. But 'pdnssec show-zone' doesn't show you the age of your keys, so I need to keep time myself. That's not easy for a hosting company registering new domains on a daily basis. How about an extra field in the cryptokeys table 'generated on' and making pdnssec aware of this? Grtz, -- Niek ---------------------------------------------------------------- _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
