Hello,

I try to set up a testing environment in order to create some scripts for
automated the roll over KSK.

############# question 1 #############
this is my policy :

dnssec-policy "test" {
    keys {
        ksk lifetime P3D algorithm ecdsa256 2048;
        zsk lifetime P1D algorithm ecdsa256 2048;
    };

    // Key timings
    purge-keys P4D;

    // Signature timings
    signatures-refresh  PT50M;
    signatures-validity PT1H;
    signatures-validity-dnskey PT1H;

    // Zone parameters
    max-zone-ttl PT1H;
    parent-ds-ttl PT1H;

};

I would like automaticly update new DS to my registar, to do it this my
logic :
For each file en .state
    If is KSK with "DSState: rumoured" or "DSState: hidden"
        If not in my registar (dig ds <my_zone> +dnssec +multiline)
            Publish on my Registar(api register)
            Notify Bind(bind rndc dnssec -checkds -key <ID> published
<my_zone>)

Do y need to withdraw the old key too immediatly ? anything else to do ?

############# question 2 #############
If i want to unsigned a zone, i change my policy to "insecure" which is
default but file like <my_zone>.signed still exist, Bind doesn't remove it ?

############# question 3 #############

In state file, when the remove date issue, can i just remove the key,
anything else to do ?

Regards,
Adrien SIPASSEUTH
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to