DNSSEC
Larry Rosenman
ler at lerctr.org
Mon Apr 25 13:47:43 UTC 2022
On 04/25/2022 8:31 am, The Doctor via bind-users wrote:
> Any easy repices to get your domains DNSSEC compilant?
> --
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici
> doctor@@nl2k.ab.ca
> Yahweh, Queen & country!Never Satan President Republic!Beware
> AntiChrist rising!
> Look at Psalms 14 and 53 on Atheism
> https://www.empire.kred/ROOTNK?t=94a1f39b
> God will not fix the vessel which insists it isn't broken. -unknown
> Beware https://mindspring.com
I'm just using the dnssec-policy stuff with 9.18, and manually add the
DS records to my registrar
(Google in my case), and ARIN for my IPv4 block, and my provider for the
delegated IPv6 block.
dnssec-policy "ler2" {
keys {
ksk lifetime unlimited algorithm 13;
zsk lifetime 90d algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
purge-keys P90D;
// Signature timings
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Zone parameters
max-zone-ttl 86400;
zone-propagation-delay 300;
// Parent parameters
parent-ds-ttl 3600;
parent-propagation-delay 300;
nsec3param iterations 0 salt-length 0;
};
If I can help, let me know.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
More information about the bind-users
mailing list