DNSSEC in Estonian Internet Foundation
DNSSEC PRACTICE STATEMENT
Download DPS (DNSSEC Practice Statement) of .ee
KEYS AND PARAMETERS
Estonian Internet Foundation is using two key pair system (KSK + ZSK) for signing DNS records.
| KSK (Key signing key) algortithm: | RSA 2048 |
| ZSK (Zone signing key) algorithm: | RSA 1024 |
| Denial of existence: | NSEC3 |
Signatures are generated using SHA256 algorithm. The validity period of the signatures is random in between 14 to 28 days.
TTLs of DNSSEC records:
| DNSKEY | 3600 seconds |
| DS | 3600 seconds |
| NSEC3 | 3600 seconds |
| RRSIG | 14-28 days |
KEY ROLLOVER
All DNSSEC key material is generated and kept only in HSMs (Hardware Security Module). Keys are generated once a yearZSK's are rolled over one in every quarter
KSK's are rolled overas required
DNSKEY AND DS
ZSK: DNSKEY 256 3 8 (AwEAAcbE1nCNl1OytbTranWZB9laFePM3w/nnocXmozaA3OlEXKlI/vRExrhwWUWoZPORgq7PGUk+BIGnplqkMIZUpMogkxrtXSxH8UFMmRzn+7HTXxEq518b1fVAfY3UDzvP+gKTyte63Te1VznnjVAXNuQJ5dRcdXFRNucyOGq7zDSVYjBUy5nXazeHjlyo63f18N3rh4nesIj57/7T5tVDgNhWUjPg0TM6BpQgzJOSASG5CiuqBNW0k7Zlyk8WyOunvRnrvhiaaL8YdNxDKyyaxnKB/kyTiXgNzkyLZ373ktcEsuZ05cYY8hbnTIyQQdCGBniXaIO7UPys3WLTaomo08=) ; ZSK; alg = RSASHA256; key id = 8076
KSK: DNSKEY 257 3 8 (AwEAAdW9k6NT/VeswfTCamM53qpD/7rG7dGV1kQBMoy5XEzzY/1hg2BC+sYKCFkAjCsLglkOJ5yihSySIvTLLuc5KGcV9KfSUEGoQB3eThw3PtxstLKRiZIcJ7a43SY0bK/HlxveEfrDHTubp7oOgp4I0BskDGrERK5M3L7QMlDvmVqqXsFBOF72AcHXO7+Hq8sbSC99wiAvioChFg7FpjJfY5QSJenGQatik2HtGG/AfcTxstfQnUok8BzQ3TSs0U2ySIa2j3GzwNN5t7NghiOq9Bod6H2KddwkmEybY20Q0QW9pPbdgszT0tg594XTkwspeEhWIYNn2X34EldF8U+LjT0=) ; KSK; alg = RSASHA256; key id = 34382
DS: DS 34382 8 2 000A3D89DC6CD4BA00EA8AFFEE3967D3A26DE7A545FBEFE16BA07518 FC8D54F6
31.01.2014
EPP
.ee registry accepts only DNSKEY (<secDNS:keyData>) data. The registry system generates DS data automatically using SHA-256 algorithm.