dnssec-policy - KSK rollover
Mark Elkins
mark at posix.co.za
Wed Nov 23 17:24:49 UTC 2022
Hi people,
I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy
I have put the following policy in my named.conf file:-
dnssec-policy "ecdsa256-policy" {
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
purge-keys 10d;
keys {
ksk lifetime 370d algorithm ecdsa256; // <---- this part in
particular!
zsk lifetime 34d algorithm ecdsa256;
};
zone-propagation-delay 300s;
max-zone-ttl 86400s;
parent-propagation-delay 1h;
parent-ds-ttl 3600;
};
I also have some external code that goes trawling for CDS records and
puts into a parent whatever it finds in the child - that in this case is
signed with the above policy stanza.
If the child creates a new CDS - my external scripts will find it and
pop it into the parent as a DS record.
If the child looses a CDS record - my external script will remove the
corresponding DS record from the parent.
Basically - whatever is in the child as a CDS will be in the parent as a DS.
A null CDS removes all DS records - but that's not my question.
Is there anything else I need to do? Any additional rndc's ??
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221123/9f0285ed/attachment.htm>
More information about the bind-users
mailing list