Do I need to renew the keys which I deposited at my domain provider?

domain-name-system domain nameserver dnssec

Solution 1:

You are not required to renew the keys. Unlike RRSIG records, DNSSEC keys and corresponding DS signatures have no expiration date.

KSK (Key signing Keys):

You may choose to rotate keys from time to time, reasons to do so may be for example that possibly your keys stolen and you don't know. If your KSK is kept offline and thus unlikely to be compromised, there's no real need to rotate KSK.

ZSK (Zone signing Keys):

To rotate those you don't need your domain provider, thus it's much easier to rotate. Though if ZSKs are also kept secure enough, there's no real need to rotate them too.

The following RFC is the source of various DNSSEC-related recommendations:

RFC 4641 - DNSSEC Operational Practices, Version 2

.... a reasonable effectivity period for KSKs that have corresponding DS records in the parent zone is of the order of 2 decades or longer. That is, if one does not plan to test the rollover procedure, the key should be effective essentially forever, and only rolled over in case of emergency.

Related

Use scp to copy a file to different servers
Diagnosing permission problems with Cobian Backup to network share
bash tab completion only works for root
max_binlog_size & log-bin size
What is the difference between *:80 and _default_:80 in Apache2?
How to prevent slow responding Tomcat from making Apache slow to respond?
What's eating my drive space when normal files + hidden + system doesn't equal total drive space used
Is there any way to undo after clearing a log on Windows 2008 server?
Which firewall ports do I need to open in order for a domain trust to work?
Risks of Kerberos Delegation
CentOS - semanage - Delete range of ports
is TCP port exhaustion real? [closed]