1) It's up to you, if your zones are small and keys are long, you can live without rotation longer. For example we rotate KSK every year and ZSK every 3 months with SHA256 and 10M records in zone. Also take a look at http://tools.ietf.org/html/rfc6781
2) Child zone doesn't need to be signed with the same key(s) as parent. 2013/10/31 staticsafe <[email protected]> > I have recently started signing all of my domains that I possibly can. I > have a couple of questions. > > 1) Are there any recommendations on how often keys should be rotated? Best > practices to perform during the rotation process? > > 2) I have a zone ircops.org delegated to my own NSes, in it there is a > sub-zone dnsbl.ircops.org delegated to other nameservers. Does > dnsbl.ircops.org need to be signed with the same key(s) as ircops.org? > > Thank you for your answers. References to reading materials are much > appreciated. > > -- > staticsafe > O< ascii ribbon campaign - stop html mail - www.asciiribbon.org > Please don't top post. It is not logical. > Please don't CC me! I'm subscribed to whatever list I just posted on. > ______________________________**_________________ > dns-operations mailing list > [email protected].**net <[email protected]> > https://lists.dns-oarc.net/**mailman/listinfo/dns-**operations<https://lists.dns-oarc.net/mailman/listinfo/dns-operations> > dns-jobs mailing list > https://lists.dns-oarc.net/**mailman/listinfo/dns-jobs<https://lists.dns-oarc.net/mailman/listinfo/dns-jobs> > -- Is there any problem Exterminatus cannot solve? I have not found one yet.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
