bind9/dnssec-policy.default.conf

dnssec-policy "default" {

	// Keys
	keys {
		csk key-directory lifetime 0 algorithm 13;
	};

	// Key timings
	dnskey-ttl 3600;
	publish-safety 1h;
	retire-safety 1h;

	// Signature timings
	signatures-refresh 5d;
	signatures-validity 14d;
	signatures-validity-dnskey 14d;
	
	// Zone parameters
	zone-max-ttl 86400;
	zone-propagation-delay 300;

	// Parent parameters
	parent-ds-ttl 86400;
	parent-registration-delay 24h;
	parent-propagation-delay 1h;
};