Hello,
I try to set up a testing environment in order to create some scripts for
automated the roll over KSK.
############# question 1 #############
this is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm ecdsa256 2048;
zsk lifetime P1D algorithm ecdsa256 2048;
};
// Key timings
purge-keys P4D;
// Signature timings
signatures-refresh PT50M;
signatures-validity PT1H;
signatures-validity-dnskey PT1H;
// Zone parameters
max-zone-ttl PT1H;
parent-ds-ttl PT1H;
};
I would like automaticly update new DS to my registar, to do it this my
logic :
For each file en .state
If is KSK with "DSState: rumoured" or "DSState: hidden"
If not in my registar (dig ds <my_zone> +dnssec +multiline)
Publish on my Registar(api register)
Notify Bind(bind rndc dnssec -checkds -key <ID> published
<my_zone>)
Do y need to withdraw the old key too immediatly ? anything else to do ?
############# question 2 #############
If i want to unsigned a zone, i change my policy to "insecure" which is
default but file like <my_zone>.signed still exist, Bind doesn't remove it ?
############# question 3 #############
In state file, when the remove date issue, can i just remove the key,
anything else to do ?
Regards,
Adrien SIPASSEUTH
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
