![[?]](https://social.dk-libre.fr/social/oldsysops/s/7e93fa6bf16b47da4f57ddf9072aff8c.png)
...
![[?]](https://mastodon-assets.gougere.fr/accounts/avatars/000/000/369/original/22d62f774f88ba53.png)
@oldsysops There are different opinions on whether it is a good idea to rotate the KSK but nobody said it should be required (the root changed its KSK only once since it was signed).
![[?]](https://stockage.framapiaf.org/framapiaf/accounts/avatars/000/048/923/original/1d29f656422bcc28.jpeg)
@oldsysops @bortzmeyer The idea of splitting KSK/ZSK (not sole way possible, `uk` was CSK for a long time, aka a single key) is to follow with "security" guidelines that, since all signatures can be recorded, that gives huge amount of data for cryptanalysis and as such changing the keys "often" is good. With ZSK it is easy to change as often as you want or close to that (typically weeks/few months). With KSK, bigger problem (because parent involvement) but usually every couple of years. 1/x
...
@oldsysops @bortzmeyer See §3.3 of RFC6781 "Ignoring the
operational perspective, a reasonable effectivity period for KSKs
that have corresponding DS records in the parent zone is on the order
of two decades or longer." + "When one opts for a regular key rollover, a reasonable key
effectivity period for KSKs that have a parent zone is one year,
meaning you have the intent to replace them after 12 months." 2/x
...
@oldsysops @bortzmeyer The other argument on the table to rotate, even if long period, is just to make sure... to know how to rotate. That is, if one day you need to do it for an emergency (private key leaked, QC breaking all old crypto, etc.) you might better be prepared and have all tooling and procedures in place... which can happen only if you built them during "peace" time, so regular changes are like rehearsal. Depends on the importance of the zone as well. 3/3
@oldsysops @bortzmeyer For another perspective look at the defaults in new Cascade DNSSEC tool by @nlnetlabs at https://github.com/NLnetLabs/cascade/pull/71/files : KSK/CSK rotation ~= yearly, ZSK rotation ~= monthly, signatures ~= half-month
...
![[?]](https://cdn.masto.host/socialnlnetlabsnl/accounts/avatars/114/692/612/288/811/644/original/c71ef2ff59705665.png)
@pmevzek @oldsysops @bortzmeyer further reading is available here. https://mastodon.nl/@pletterpet/115230462304550275