How to introduce automatic signing for existing signed zones?
Matthijs Mekking
matthijs at isc.org
Tue Nov 8 07:54:53 UTC 2022
Niall,
Thanks for reporting back. This is an omission in our KB article that I
will fix.
- Matthijs
On 07-11-2022 18:24, Niall O'Reilly wrote:
> On 7 Nov 2022, at 11:40, Niall O'Reilly wrote:
>
>> Preparation:
>>
>> - Set up minimal stand-alone instance of BIND9 named,
>> configured with a **dnssec-policy** for each algorithm,
>> matching properties of existing DNSSEC keys, and with
>> `lifetime unlimited`;
>> - Deliver current key files and recently-signed copy of
>> zone files to this instance.
>
> I needed an additional stage of preparation, before delivering
> the key files; specifically, I needed to edit the .private
> files to 'Private-key-format: v1.3' and add missing lifecycle
> metadata.
>
> After doing this, named behaved exactly as expected.
>
> Thanks, Matthijs, for steering me in the right direction,
> and for being ready to give me additional help.
>
> /Niall
>
More information about the bind-users
mailing list