[KASP] Key rollover
adrien sipasseuth
sipasseuth.adrien at gmail.com
Tue Jan 17 08:38:04 UTC 2023
Hello,
I put the management of DNSSEC with KASP, the zone is well functional. (dig
with "AD" flag etc)
On the other hand, I can't see when the key rollover period for my KSK is
over (2 KSKs with a dig DNSKEY...)
Without KASP, it was easy because I generated the second KSK key but with
KASP, it is managed automatically.
So, I have to adapt my scripts to check that there is :
- a used KSK key and a next KSK key
- Or only one KSK key used (if we are not in rollover phase)
Except that with my current policy, I never see 2 KSKs via a "dig
DNSKEY...".
here is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P7D algorithm ecdsa256;
zsk lifetime P3D algorithm ecdsa256;
};
purge-keys 1d;
publish-safety 3d;
retire-safety 3d;
};
I see either my KSK in use or my next KSK (via "dig DNSKEY...") but never
both at the same time.
Is this a normal behavior or am I doing it wrong?
Regards, Adrien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230117/d10714a3/attachment.htm>
More information about the bind-users
mailing list