On 11-04-2021 01:22, @lbutlr wrote:
On 06 Apr 2021, at 01:13, Matthijs Mekking <matth...@isc.org> wrote:
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
default the keys are retained for 90 days after their latest usage. So in that case keys will be
cleaned up automatically.
Excellent. Does that go in the zone record with default, or does it replace
default> I don't see the syntax in the release notes.
If you don't set "purge-keys" it will be retained for 90 days.
Otherwise, set it inside the 'dnssec-policy' you are using. In other
words, If you want something else, use this:
dnssec-policy "myway" {
purge-keys P30D;
...
// other policy options
};
Or do I add a
dnssec-policy "default" {
purge-keys 30; // (or is that field seconds?)
}
Or will that mess up the predefined for default?
First, you cannot (re)configure "default" policy, it is a builtin policy.
You can configure a new policy and just add a single option
"purge-keys". Zones with that policy will act the same as the default
policy except for how long to retain keys.
The field is a ttl value or a ISO 8601 duration. So a number is treated
as seconds. If you want 30 days, use 30d or P30D.
Cheers,
Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
