Migrating to dnssec-policy - existing "stack" of future keys ?
vom513
vom513 at gmail.com
Wed Nov 16 17:53:51 UTC 2022
Hello,
I’m wanting to go ahead and look at migrating to dnssec-policy for my zones. I currently use “auto-dnssec maintain” and “inline-signing yes”. I also have a “stack” of ZSKs I made that all nicely overlap with their various date settings. I think I made these out to sometime in 2024.
In addition to all the info here:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Do I need to / should I do something to this stack of keys ? I was thinking maybe take the most “current” key, and remove his expiration etc. Then (after a backup of course), delete the other future keys ?
In other words, I can’t imagine I’d want to mix the “old way” of managing these / rollovers with the new.
Hopefully this makes sense. Thanks for any guidance or insight.
More information about the bind-users
mailing list