Your IP address is 54.80.63.78
initiatives_bnr

AFRINIC DNSSEC Service

  

DNSSEC Practice Statement - DPS

 

Zone Signing parameters - Key Lengths and Algorithms

  • Key Signing Key: We use a key length of 2048 bits with RSA as the generation algorithm.
  • Zone Signing Key: We use a key length of 1024 bits with RSA as the generation algorithm.
  • Authenticated Denial of Existence: Authenticated denial of existence will be provided through the use of NSEC records as specified in RFC 4034.
  • Signature Format: Our signatures are created with the SHA2-256 hash using RSA.
  • Zone Signing Key Roll-over: We will roll the ZSK on a monthly basis with a pre-publishing scheme as described in RFC 4641, section 4.2.1.1.
  • Key Signing Key Roll-over: We will roll the KSK on a yearly basis with a double-signing scheme as described in RFC 4641, section 4.2.1.2.
  • Signature Life-time and Re-signing Frequency: We re-sign our zones once a new zone are generated with a signature lifetime of 15 days.

 

Resource Records Time-to-live - Record type TTL

  • DNSKEY: Equal to the TTL used for the SOA record
  • NSEC: Equal to the minimum field of the SOA record
  • RRSIG: Equal to the lowest TTL of the record set covered
  • DS: Equal to the TTL used for the NS record

 

(Page 3 of 5)