key dir massive
Matthijs Mekking
matthijs at isc.org
Fri Dec 23 09:43:31 UTC 2022
On 12/22/22 16:23, Eric Germann wrote:
>> On Dec 22, 2022, at 09:32, Matthijs Mekking <matthijs at isc.org> wrote:
>>
>>
> </snip>
>
>> I hope you have read our KB article on dnssec-policy before migrating:
>>
>> https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
>>
>> It should list the main pitfalls to save you a lot of hassle (I suspect you started algorithm rollover immediately when changing to dnssec-policy default).
>>
>> If there are any things we should add, I am happy to receive your suggestions.
>
> Are there any examples from ISC on how to handle multiple algorithms in the dnssec-policy stanza? I’m running 8 and 13 both as an experiment
>
> Eric
Just list the keys you want. So for example double algorithm, zsk and ksk:
dnssec-policy {
# RSASHA256
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P1M algorithm 8;
# ECDSAP256SHA256
ksk key-directory lifetime P1Y algorithm 13;
zsk key-directory lifetime P1M algorithm 13;
};
Matthijs
More information about the bind-users
mailing list