Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Stephane Bortzmeyer wrote: There is nothing about key rollover, it seems? How do you handle it? I don't. (Well, for now the plan is to do it once a year by hand. Then, we'll see...) Regards, Eugene signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. Thanks, -- Nicholas signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Nicholas Wheeler wrote: On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other opinions on this timing as well. Rolling ZSK using BIND 9.7 is amazingly easy - I'm planning on writing a short paper on this as time permits. Rolling KSK is a bit more difficult as there aren't a lot of registrars that have the ability to accept DS records at this point anyway, and I don't see them implementing RFC-5011 personally... It's coming, it's just not here quite yet. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
On Tue, 23 Feb 2010, Alan Clegg wrote: For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. And there are lots of other opinions on this timing as well. Note that you cannot really talk about rolling key recommendations without mentioning the key sizes (and algorithms) involved. I believe the above NIST recommendation is for 1024 bit RSASHA1 ZSK's and 2048 bit RSASHA1 2048 bit keys. They might also apply to RSASHA256 keys. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: Configuring auto-signed dynamic zone HOWTO
Date: Tue, 23 Feb 2010 16:02:27 -0500 From: Alan Clegg acl...@isc.org Sender: bind-users-bounces+oberman=es@lists.isc.org Nicholas Wheeler wrote: On Tue, 2010-02-23 at 23:40 +0300, Eugene Crosser wrote: (Well, for now the plan is to do it once a year by hand. Then, we'll see...) For the record, NIST recommends to roll the ZSK every three months, and the KSK every two years. My copy of SP800-81r1 says ZSK 1 month and KSK 1-2 years. It also recommends a 2048 bit key for both KSK and ZSK. It was still draft when I printed it out, but I suspect that the final draft will match these recommendations. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users