A. The registry will accept key data but no action is taken. Only DS data is processed. It is the registrar’s responsibility to verify the DS data.
- The use of HSM modules for the generation and storage of keys to ensure that keys cannot be compromised
- A 2048bit Key Signing Key
- A 2048bit Zone Signing Key
- The use of RSA⁄SHA-256
- KSK rollovers every 12 months, using the double RRset method
- ZSK rollovers every month, using the pre-publication method
- Algorithm rollovers specifically planned per event; at present an alternative to RSA⁄SHA-256 is not yet proposed
- NSEC3 with opt-out – to reduce overhead of zone file size increases
- TTL on records 14,400 seconds to minimize risks during and allow for emergency key rollovers.
- Use the DNS software’s automatic re-signing of RRSIGs to prevent signatures from expiring causing validation failures.
- A 7 day signature refresh period to protect against failures in signing systems.
- A 14 day signature validity period;
- The addition of a random time offset for all signature expiry during the initial generation to help evenly distribute expiry & minimize DNS load
- Key rollovers coordinated according to a pre-calculated safety schedule
A. Donut’s TLDs will support DNSSEC at launch.