initiatives_bnr

DPS

 

Zone Signing parameters

 

Key Lengths and Algorithms

Key Signing Key

We use a key length of 2048 bits with RSA as the generation algorithm.

Zone Signing Key

We use a key length of 1024 bits with RSA as the generation algorithm.

Authenticated Denial of Existence

Authenticated denial of existence will be provided through the use of NSEC records as specified in RFC 4034.

Signature Format

Our signatures are created with the SHA2-256 hash using RSA.

Zone Signing Key Roll-over

We will roll the ZSK on a monthly basis with a pre-publishing scheme as described in RFC 4641, section 4.2.1.1.

Key Signing Key Roll-over

We will roll the KSK on a yearly basis with a double-signing scheme as described in RFC 4641, section 4.2.1.2.

Signature Life-time and Re-signing Frequency

We re-sign our zones once a new zone are generated with a signature lifetime of 15 days.

Resource Records Time-to-live

Record type TTL

DNSKEY

Equal to the TTL used for the SOA record

NSEC

Equal to the minimum field of the SOA record

RRSIG

Equal to the lowest TTL of the record set covered

DS

Equal to the TTL used for the NS record