On 21. Aug 2021, at 01:57, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: >> On 20 Aug 2021, at 4:59 pm, Michael Grimm <trash...@ellael.org> wrote:
>> All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my >> ZSK's every 90 days after my migration from DSA keys. If I do understand you >> correctly, I could modify my ZSK rotation scheme to once a year given the >> case that key disclosure is not an issue, correct? > > Yes, Thanks for your highly appreciated opinion. > provided you're still confident that the process works > correctly and reliably. Sometimes it is a good idea to practice > things more frequently, just be sure you're doing it right… I am using an opendnssec workflow for some years now which I trust and monitor constantly. For the time being I will increase ZSK rotation from 90 days to six month. Again, thanks for your opinion and regards, Michael
