Still seeing some ALG-7 DNSSE
Matthijs Mekking
matthijs at isc.org
Mon Apr 12 07:12:25 UTC 2021
On 11-04-2021 01:22, @lbutlr wrote:
> On 06 Apr 2021, at 01:13, Matthijs Mekking <matthijs at isc.org> wrote:
>> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.
>
> Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.
If you don't set "purge-keys" it will be retained for 90 days.
Otherwise, set it inside the 'dnssec-policy' you are using. In other
words, If you want something else, use this:
dnssec-policy "myway" {
purge-keys P30D;
...
// other policy options
};
> Or do I add a
>
> dnssec-policy "default" {
> purge-keys 30; // (or is that field seconds?)
> }
>
> Or will that mess up the predefined for default?
First, you cannot (re)configure "default" policy, it is a builtin policy.
You can configure a new policy and just add a single option
"purge-keys". Zones with that policy will act the same as the default
policy except for how long to retain keys.
The field is a ttl value or a ISO 8601 duration. So a number is treated
as seconds. If you want 30 days, use 30d or P30D.
Cheers,
Matthijs
More information about the bind-users
mailing list