Re: Still seeing some ALG-7 DNSSE

Mon, 12 Apr 2021 02:46:39 -0700 


> On 12 Apr 2021, at 01:12, Matthijs Mekking <matth...@isc.org> wrote:
> 
> 
> 
> On 11-04-2021 01:22, @lbutlr wrote:
>> On 06 Apr 2021, at 01:13, Matthijs Mekking <matth...@isc.org> wrote:
>>> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By 
>>> default the keys are retained for 90 days after their latest usage. So in 
>>> that case keys will be cleaned up automatically.
>> Excellent. Does that go in the zone record with default, or does it replace 
>> default> I don't see the syntax in the release notes.
> 
> If you don't set "purge-keys" it will be retained for 90 days. Otherwise, set 
> it inside the 'dnssec-policy' you are using. In other words, If you want 
> something else, use this:
> 
> dnssec-policy "myway" {
>    purge-keys P30D;
>    ...
>    // other policy options
> };

I am using dnssec-policy default, not my own dnssec policy

>> Or do I add a
>> dnssec-policy "default" {
>>   purge-keys 30; // (or is that field seconds?)
>> }
>> Or will that mess up the predefined for default?
> 
> First, you cannot (re)configure "default" policy, it is a builtin policy.

I found that out, yes.

> You can configure a new policy and just add a single option "purge-keys". 
> Zones with that policy will act the same as the default policy except for how 
> long to retain keys.

So, I have to add a new policy to every zone? That's annoying. I was hoping to 
force the old keys to go away faster.

> The field is a ttl value or a ISO 8601 duration. So a number is treated as 
> seconds. If you want 30 days, use 30d or P30D.

Thank you, I may just wait and see what happens. Though no alg-7 files have 
been deleted yet, even for domains that are not reporting any alg-6 o dnsviz 
(and they are updated every hour) along with the lag-13 key.

-- 
I CAN BE ROBBED BUT NEVER DENIED, I TOLD MYSELF. WHY WORRY?  'I too
        cannot be cheated,' snapped Fate. SO I HAVE HEARD.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to