I've started playing with DNSSEC on my personal domain and I'm using OpenDNSSEC to perform signing and key maintenance; I only have a static zone, so OpenDNSSEC is an easy fit.
Just to toy with things, I decided to do a manual key rollover for my KSK and ZSK. The time it's going to take for the ZSK to transition from retired to dead is two weeks. That's a massive amount of time, and seems completely unnecessary, given that most TTLs are less than 48 hours and propagation delays are no more than 24 hours.
I've been reading the document "Good Practices Guide for Deploying DNSSEC", where they recommend this two week delay, but don't seem to give an justification for the delay.
What gives?
From the paper:
The duration of the transition from one state to the next is a function of the lifetime of the records in a zone, the time required to deliver the zones to the external servers and clock jitter time (Internet - Draft, DNSSEC Key Timing Considerations ) .
and
The recommended period during which a KSK is retired before it is removed from the zone ( retirement time ) is four weeks. For the ZSK , the recommended introduction time is four days and the retirement time is two weeks.
Since it so happens that one of the authors (Patrik W) of the referenced document is sitting about ten meters away, I went and asked him. And it turns out that what gives is that the document is old (it's dated March 2010) and basically no longer relevant. You can safely ignore the week-long times. The short answer to how long a retirement time to have is "twice the TTL and maybe a bit of margin". The long answer is this IETF draft.