Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive > to rotate keys frequently (~90 days) is substantially lower, as the keys > are strong enough to resist cryptographic attacks for years. The only > practical risk is key disclosure.
Thanks for that information I didn't think about before. All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my ZSK's every 90 days after my migration from DSA keys. If I do understand you correctly, I could modify my ZSK rotation scheme to once a year given the case that key disclosure is not an issue, correct? Regards, Michael
