On Wed, May 11, 2011 at 17:46, Niek <[email protected]> wrote: > Then I wondered: How do I know when to do a rollover?
> I found: > > The general guideline today is that when RSA is the cryptographic algorithm > in > use the ZSK should be 1024 bits and rolled quarterly, while the KSK should be > 2048 bits and rolled every two years. Seems about right. I would argue for 1280 and monthly on ZSKs, and you can consider to not roll KSKs at all, except when forced/encouraged to by compromise/migration. > That looks like good advice. But 'pdnssec show-zone' doesn't show you the age > of your keys, so I need to keep time myself. That's not easy for a hosting > company registering new domains on a daily basis. > > How about an extra field in the cryptokeys table 'generated on' Good idea. You can just make one, pdns doesn't mind extra columns. We have something like that. > and making pdnssec aware of this? Instead of bloating the pdnssec tool, I would suggest (again, we do this) to do key management separately. A simple script in a cronjob should do. You can use the ldns python binding for key generation. The basic logic per zone is: Disable any expired ZSKs Make sure there is an active ZSK If we already have a fresh spare key, enable it Otherwise, create a fresh and immediately active key If the active ZSK will expire soon, create a spare key _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
