bind9/doc/misc/dnssec-policy.default.conf

dnssec-policy "default" {
	// Keys
	keys {
		csk key-directory lifetime unlimited algorithm 13;
	};

	// Key timings
	dnskey-ttl 3600;
	publish-safety 1h;
	retire-safety 1h;
        purge-keys P90D;

	// Signature timings
	signatures-refresh 5d;
	signatures-validity 14d;
	signatures-validity-dnskey 14d;

	// Zone parameters
	max-zone-ttl 86400;
	zone-propagation-delay 300;

	// Parent parameters
	parent-ds-ttl 86400;
	parent-propagation-delay 1h;
};