How to introduce automatic signing for existing signed zones?
Niall O'Reilly
niall.oreilly at ucd.ie
Mon Nov 7 17:24:43 UTC 2022
On 7 Nov 2022, at 11:40, Niall O'Reilly wrote:
> Preparation:
>
> - Set up minimal stand-alone instance of BIND9 named,
> configured with a **dnssec-policy** for each algorithm,
> matching properties of existing DNSSEC keys, and with
> `lifetime unlimited`;
> - Deliver current key files and recently-signed copy of
> zone files to this instance.
I needed an additional stage of preparation, before delivering
the key files; specifically, I needed to edit the .private
files to 'Private-key-format: v1.3' and add missing lifecycle
metadata.
After doing this, named behaved exactly as expected.
Thanks, Matthijs, for steering me in the right direction,
and for being ready to give me additional help.
/Niall
More information about the bind-users
mailing list