> > It depends on what you are trying to do...
> >
> > SSL certificates are not used in DNSSEC, so if you are talking about "to
> > deploy DNSSEC", then the answer is NO.
> >
> > If you are trying to secure your http, pop, imap, etc. sessions, and a
> > self-signed certificate is not enough then yes, you need to buy a
> > "certificate"

> I'm talking about DNS SEC (signed zones)... so in other words I can't sign a
> zone with a CA issued certificate.

The point I was trying to make is that 1 month key rollovers
far exceed best pactice for 1024 bit key sizes. Where best
practice is looking at military requirements. If you look
in your brower you will probably see 1024 bit certificates
with lifetimes of 20 years which is commercial requirements.

Rolling a 1024 bit key every 5-10 years should be fine but
you are likely to forget how to do it properyly.

There isn't one answer that will fits the actual usage

I don't roll by keys monthly. I'll do it annually, and
even then it will be overkill for what it is protecting,
but I'm also unlikely to forget how to it.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org