1. Introduction
This document details the practices and provisions employed by CWCS/CETNIC in the management of the Key Signing Keys (KSK) and Zone Signing Keys (ZSK) for the supported zones.
2. Key Management
KSK: The KSK is rotated annually in a ceremony witnessed by the Branch Warden. The private
key is stored offline.
ZSK: The ZSK is rotated quarterly automatically by the registry software.
3. Algorithm
We use ECDSAP256SHA256 (Algorithm 13) for all signing operations.
4. Signature Validity
RRSIG records are valid for 14 days, with a refresh jitter of 2 days.