On 05/02/2010 15:58, Jim Reid wrote:
What I do think would be helpful is a document explaining how the eventual parameters were chosen and the trade-offs/thinking that went into those choices. This is needed for DNSSEC generally as well as for the root zone and the NCC's bits of the .arpa tree.
The RIPE NCC was an early adopter of DNSSEC way back in 2005, and at the time, there was very little operational experience. It was important to exercise the various processes, including key roll-overs. A relatively short roll-over period of 6 months allowed us to invoke our roll-over procedures more frequently. This is especially important as some of our processes are still manual. Things are a bit different now. DNSSEC toolsets have improved, and there are both commercial and open-source products available to handle a lot of the heavy-lifting needed to maintain DNSSEC-signed zones. It would probably be okay to have longer key lifetimes now. Regards, Anand Buddhdev, DNS Services Manager, RIPE NCC