DNSSEC Practice Statement - DPS

Zone Signing parameters - Key Lengths and Algorithms

• Key Signing Key: We use a key length of 2048 bits with RSA as the generation algorithm.
• Zone Signing Key: We use a key length of 1024 bits with RSA as the generation algorithm.
• Authenticated Denial of Existence: Authenticated denial of existence will be provided through the use of NSEC records as specified in RFC 4034.
• Signature Format: Our signatures are created with the SHA2-256 hash using RSA.
• Zone Signing Key Roll-over: We will roll the ZSK on a monthly basis with a pre-publishing scheme as described in RFC 4641, section 4.2.1.1.
• Key Signing Key Roll-over: We will roll the KSK on a yearly basis with a double-signing scheme as described in RFC 4641, section 4.2.1.2.
• Signature Life-time and Re-signing Frequency: We re-sign our zones once a new zone are generated with a signature lifetime of 15 days.

Resource Records Time-to-live - Record type TTL

• DNSKEY: Equal to the TTL used for the SOA record
• NSEC: Equal to the minimum field of the SOA record
• RRSIG: Equal to the lowest TTL of the record set covered
• DS: Equal to the TTL used for the NS record