On 10/4/11 3:49 PM, "Paul B. Henson" <[email protected]> wrote: > dnssec is fairly complicated, and the issue of timing can be complex, > but once the variables are determined than the actual procedures of > implementation are pretty simple. Generate keys with appropriate > publication, activation, inactivation, and deletion timings, and then > use them ;). My hope from my initial posting was to get a little peer > review of the appropriateness of the timings I've selected...
Your initial hope is what I missed comments on... I found this: https://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec/at_download/ fullReport "It is recommended that the transition of a KSK from the published state to the ready state (introduction time) lasts for 45 days (RFC 5011, Automated Updates of DNS Security (DNSSEC) Trust Anchors). If the parent of the zone is signed, the recommended introduction time (SPARTA) is one week. The recommended period during which a KSK is retired before it is removed from the zone (retirement time) is four weeks. For the ZSK, the recommended introduction time is four days and the retirement time is two weeks." What values are other folks using? -- By nature, men are nearly alike; by practice, they get to be wide apart. -- Confucius _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
