> On 28. 9. 2024, at 1:31, Terik Erik Ashfolk <ate...@outlook.com> wrote: > > and during consideration i was using a dnssec-policy opPolicy2W with KSK > changing every 20 days, & ZSK every 10 days. > > Now I changed to another dnssec-policy opPolicy3M : KSK changing every ~ 3 > months & ZSK every 22 days.
Just don’t do this. It makes absolutely no sense to change keys so often. This is not x509. You should know how to change the KSK, so practicing it (or automating it) makes sense every so often (like couple of years). But there’s absolutely no reason to change the cryptographic material so often. You don’t change your ssh keys every 20 days, do you? You talk about “increasing costs” by adding one more server. This is a fallacy - everything you described so far increases costs because of the total complexity of your setup. You want to run simple components that can be easily provisioned and replaced and doesn’t need to PhD degrees to operate and run. Any added complexity has to be justified and whatever is the zone(s) you are running (you haven’t shared any details), it would never be justified to have a complex setup like this. Complex means fragile, not resilient. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
