* Viktor Dukhovni: > With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive > to rotate keys frequently (~90 days) is substantially lower [...]
I still use RSA keys (algorithm 8). My main point is that I find it more convenient to only roll ZSK, and to only place KSK data into the parent zone. The latter requires me to ask my hosting provider to manually update key material in the TLD zones, and I try to keep the frequency of these update low. "Your mileage may vary." ;-) -Ralph
