AFRINIC DNSSEC Service
Table of contents
- AFRINIC DNSSEC Service
- AFRINIC DNSSEC Deployment plan
- DNSSEC Practice Statement - DSP
- DNSSEC delegations
- Communication plan
DNSSEC Practice Statement - DPS
Zone Signing parameters - Key Lengths and Algorithms
- Key Signing Key: We use a key length of 2048 bits with RSA as the generation algorithm.
- Zone Signing Key: We use a key length of 1024 bits with RSA as the generation algorithm.
- Authenticated Denial of Existence: Authenticated denial of existence will be provided through the use of NSEC records as specified in RFC 4034.
- Signature Format: Our signatures are created with the SHA2-256 hash using RSA.
- Zone Signing Key Roll-over: We will roll the ZSK on a monthly basis with a pre-publishing scheme as described in RFC 4641, section 126.96.36.199.
- Key Signing Key Roll-over: We will roll the KSK on a yearly basis with a double-signing scheme as described in RFC 4641, section 188.8.131.52.
- Signature Life-time and Re-signing Frequency: We re-sign our zones once a new zone are generated with a signature lifetime of 15 days.
Resource Records Time-to-live - Record type TTL
- DNSKEY: Equal to the TTL used for the SOA record
- NSEC: Equal to the minimum field of the SOA record
- RRSIG: Equal to the lowest TTL of the record set covered
- DS: Equal to the TTL used for the NS record