Hello John,
John wrote:
I have been tying to find out if there are any recommendations about the various intervals in a keys life, e.g. how long between publication and activation? Ditto for activation to inactivation? Ditto for inactivation to deletion?
have a look at "DNSSEC Key Rollover Timing Considerations" (an IETF draft document that might be promoted to an RFC later) --> https://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-06
Also, read RFC 6781 https://tools.ietf.org/html/rfc6781
I Googled it, but the info out there is not very helpful; Microsoft; 7 - 7300 days (recommends 755 days) for KSK and 7 to 1875 days (recommends 90 days) for ZSK. ENISA 365-1460 days (recommends 1 yr) KSK, 1 yr for ZSK NIST 1 - 2 yrs for KSK, 1 - 3 m for ZSK. Plus a lot of other recommendations ranging from 1 to 5yrs for KSK and from 14 days to 2 yrs for ZSK.
there are no technical reasons to roll the DNSSEC keys, but (security-) policy reasons. The policy will be different between sites and organizations.
I am currently think along the lines of 90 days from Creation to Deletion with active life of 30 days for ZSKs. 420 days from Creation to Deletion with an active life of 360 days for KSKs. Are these reasonable?
Some of the times depend on the propagation times between the master DNS server and the slaves (zone-transfer), the rollover-type (pre-publication or double-signing) and the time-to-live (TTL) of the records in the DNS zone.
Without knowing these values, I cannot say if the times are reasonable. They *look* reasonable.
Usually one starts with the life-times of the KSK and ZSK, and calculates all the other time-values from there (prepublication, activation, deactivation, deletion). It is good practice to also calculate some buffer times.
Plus, what are the "names" for the various intervals, there does not seem to be a consistent naming convention, the various points in the timeline seem to have fairly standard names but not intervals. What is the period from creation to publication called? ditto publication to activation, activation to inactivation, inactivation to deletion?
the standard "names" are in RFC 6781 https://tools.ietf.org/html/rfc6781
Best regards
Carsten