DNSSEC PRACTICE STATEMENT

Download DPS (DNSSEC Practice Statement) of .ee

KEYS AND PARAMETERS

Estonian Internet Foundation is using two key pair system (KSK + ZSK) for signing DNS records.

KSK (Key signing key) algortithm:RSA 2048
ZSK (Zone signing key) algorithm:RSA 1024
Denial of existence:NSEC3

Signatures are generated using SHA256 algorithm. The validity period of the signatures is random in between 14 to 28 days.

TTLs of DNSSEC records:

DNSKEY3600 seconds
DS3600 seconds
NSEC33600 seconds
RRSIG14-28 days

KEY ROLLOVER

All DNSSEC key material is generated and kept only in HSMs (Hardware Security Module). Keys are generated once a year
 
ZSK's are rolled over one in every quarter
KSK's are rolled overas required

DNSKEY AND DS

ZSK: DNSKEY 256 3 8 (AwEAAcbE1nCNl1OytbTranWZB9laFePM3w/nnocXmozaA3OlEXKlI/vRExrhwWUWoZPORgq7PGUk+BIGnplqkMIZUpMogkxrtXSxH8UFMmRzn+7HTXxEq518b1fVAfY3UDzvP+gKTyte63Te1VznnjVAXNuQJ5dRcdXFRNucyOGq7zDSVYjBUy5nXazeHjlyo63f18N3rh4nesIj57/7T5tVDgNhWUjPg0TM6BpQgzJOSASG5CiuqBNW0k7Zlyk8WyOunvRnrvhiaaL8YdNxDKyyaxnKB/kyTiXgNzkyLZ373ktcEsuZ05cYY8hbnTIyQQdCGBniXaIO7UPys3WLTaomo08=) ; ZSK; alg = RSASHA256; key id = 8076

KSK: DNSKEY 257 3 8 (AwEAAdW9k6NT/VeswfTCamM53qpD/7rG7dGV1kQBMoy5XEzzY/1hg2BC+sYKCFkAjCsLglkOJ5yihSySIvTLLuc5KGcV9KfSUEGoQB3eThw3PtxstLKRiZIcJ7a43SY0bK/HlxveEfrDHTubp7oOgp4I0BskDGrERK5M3L7QMlDvmVqqXsFBOF72AcHXO7+Hq8sbSC99wiAvioChFg7FpjJfY5QSJenGQatik2HtGG/AfcTxstfQnUok8BzQ3TSs0U2ySIa2j3GzwNN5t7NghiOq9Bod6H2KddwkmEybY20Q0QW9pPbdgszT0tg594XTkwspeEhWIYNn2X34EldF8U+LjT0=) ; KSK; alg = RSASHA256; key id = 34382

DS: DS      34382 8 2 000A3D89DC6CD4BA00EA8AFFEE3967D3A26DE7A545FBEFE16BA07518 FC8D54F6 

31.01.2014

EPP

.ee registry accepts only DNSKEY (<secDNS:keyData>) data. The registry system generates DS data automatically using SHA-256 algorithm.