In order to implement auto-dnssec maintain in the 9.7+ versions of BIND, one adds dates to the keys as metadata. After a lot of reading, I've come up with the following and hope that someone can confirm or correct it:
$TTL 8h
KSK lifespan == 1y
ZSK lifespan == 30d
Key created published active revoke inactive delete
KSK1 [KSK0 revoke] [active [revoke [inactive
+ lifespan] + 2*TTL] + 2*TTL]
KSK2 [KSK1 revoke [KSK1 revoke]
- 2*TTL]
ZSKs would follow a similar pattern.
The most difficult requirement is the graceful rollover of the KSKs and ZSKs. I understand that there is a need for overlap while a pair of KSKs or ZSKs are used simultaneously, but I need help with the proper size of those overlaps.
Doubling up on the number of ZSKs (during overlap) must double the number of RRSIG records and consequently almost double the size of the query responses. This is quite subjective; but does this double load ever become significant?
Presumably, the creation and deletion of the KSK DS records should correspond with the 'published' and 'delete' dates of the keys?
