Moin! On 05.02.2010, at 15:58, Jim Reid wrote:
On 5 Feb 2010, at 14:18, Ralf Weber wrote:
With the root planning for much longer time frames on KSK rollovers maybe RIPE NCC should think about increasing it's KSK life times.
Ralf, I don't follow you. Could you please explain why the NCC should increase the lifetime of its KSKs? Just because "the root's going to have long KSK lifetimes" isn't an answer. :-) As I'm sure you know, there are all sorts of trade-offs that have to be made when choosing key sizes and rollover intervals. And every zone has its own set of requirements and operational criteria. So what's good for one zone may not be so suitable for another. Well the original reason was Anands mail that Fedora delivered an old ripe key. This would not be the case with a key life time of say two years. I always thought that RIPEs schedule was to aggressive wrt to key rollovers. As even in this industry it takes time with people/OS vendors to act.
I'd like to hear the reasoning why key management by the NCC should be the same as that for the root, particularly if it goes beyond the usual "if it's good enough for the root, it's good enough for me". FWIW, I regularly make that case when people ask me what DNS software they should run. I didn't say that and there are good reasons for not having it the same especially not rolling all the keys at the same time. I however think that long term with more zones (think millions) signed there probably will be a best practices for leaf zones.
What I do think would be helpful is a document explaining how the eventual parameters were chosen and the trade-offs/thinking that went into those choices. This is needed for DNSSEC generally as well as for the root zone and the NCC's bits of the .arpa tree. Agreed it would be great to have that.
So long -Ralf --- Ralf Weber (Internet Citizen) e: dns@fl1ger.de