"Hi, I'm trying version 9.18.31.
According to the post on https://kb.isc.org/docs/dnssec-key-and-signing-policy,
the policy normally generates keys when they are needed. However, we can
generate the DNSSEC keys ourselves first, and when the policy requires a new
key, it will select the one we created.
There is even an example in that post.
So, I followed that approach. I generated a new key that matches the policy and
placed it in the key directory. However, when it was time to roll the key, my
key was retired, and the policy generated a new one instead.
Here is my policy:"
dnssec-policy "hosting key" {
dnskey-ttl PT1M;
keys{
ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
zsk key-directory lifetime P30D algorithm RSASHA256 2048;
};
And i run this command to generate the next key:
dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
i even tried
dnssec-keygen -k "hosting key" -l /etc/named.conf -K /data/keys/policy.com/
policy.com
so im pretty sure the new key matches the policy. But still, they all got
retired.
Plz help.
Best regards,
Tam
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
