> > > And based on my reading of the intro these keys need to be updated at
> > > least monthly?
> > >
> > > Michael

> >
> > The frequency keys need to be changed is based on their
> > strength (size). The current recommendations are very
> > conservitive and also factor in that humans need to repeat
> > operations regularly to get them correct and not forget how
> > to do the rollover. From a crypto standpoint alone you,
> > generally, don't need to roll keys monthly.
> >
> > As more and more automation takes place the frequency of
> > rolling keys will fall more and more into line with their
> > crypto strength rather than be driven by human requirements.
> >
> > SSL certificates are valid for multiple years and they use
> > the same crypto. They are also simpler to use at this point
> > in time. Buy and copy into place.

>
> So for the domain name "networkstuff.co.nz", I would need to buy a certificat
> e
> for "networkstuff.co.nz" or would it need to be a wildcard certificate?
> ie: "*.networkstuff.co.nz" as these are expensive...


You are confusing SSL and DNSSEC. Both use the same
underlying public key cryptography techniques. They just
package them up diffently.

For DNSSEC you using dnssec-keygen to create the key and
dnssec-signzone to sign the zone. You pass the DS RRset
to your parent zones administrator for them to sign so they
can make a secure referral to you. If your parent is not
yet signed you can send the DS RRset (or DLV RRset) to us
and we will include it in the DLV tree. It's a trival
matter to convert from DS to DLV as only the name and type
code are changed.

If you send us your DS/DLV RRset then when your parent start
signing their zone you need to tell us to remove the DLV
RRset and to send the parent zone the DS RRset.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org