Re: Dnssec-policy Purge-keys

[Greg Rivers via bind-users]

On Monday, 12 April 2021 01:18:11 CDT @lbutlr via bind-users wrote:
> Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and 
> all I can find is notes that it was added. I've tried a couple of things, but 
> I am shooting in the dark. I cannot redefine the "default" policy as that 
> gives and error and simply putting "purge-keys P90D;" or "dnssec-policy 
> purge-keys P90D;" in options files.
> 
> I'm sure it's simple, but simply what?
> 
As per the BIND9 ARM section 4.2.21, the purge-keys statement must be contained 
within a dnssec-policy statement. A policy such as this one is working well for 
me:

dnssec-policy Kreme {
        keys {
                ksk lifetime P1Y  algorithm ECDSA256;
                zsk lifetime P3M  algorithm ECDSA256;
        };
        purge-keys 30d;
        nsec3param;
};

-- 
Greg


4.2.21 dnssec-policy Statement Grammar

dnssec-policy <string> {
        dnskey-ttl <duration>;
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
                <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;
        nsec3param [ iterations <integer> ] [ optout <boolean> ] [
                salt-length <integer> ];
        parent-ds-ttl <duration>;
        parent-propagation-delay <duration>;
        publish-safety <duration>;
        purge-keys <duration>;
        retire-safety <duration>;
        signatures-refresh <duration>;
        signatures-validity <duration>;
        signatures-validity-dnskey <duration>;
        zone-propagation-delay <duration>;
};


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users