Zone Signing parameters

Key Lengths and Algorithms

Key Signing Key

We use a key length of 2048 bits with RSA as the generation algorithm.

Zone Signing Key

We use a key length of 1024 bits with RSA as the generation algorithm.

Authenticated Denial of Existence

Authenticated denial of existence will be provided through the use of NSEC records as specified in RFC 4034.

Signature Format

Our signatures are created with the SHA2-256 hash using RSA.

Zone Signing Key Roll-over

We will roll the ZSK on a monthly basis with a pre-publishing scheme as described in RFC 4641, section 4.2.1.1.

Key Signing Key Roll-over

We will roll the KSK on a yearly basis with a double-signing scheme as described in RFC 4641, section 4.2.1.2.

Signature Life-time and Re-signing Frequency

We re-sign our zones once a new zone are generated with a signature lifetime of 15 days.

Resource Records Time-to-live