On Monday, 12 April 2021 01:18:11 CDT @lbutlr via bind-users wrote:
> Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and
> all I can find is notes that it was added. I've tried a couple of things, but
> I am shooting in the dark. I cannot redefine the "default" policy as that
> gives and error and simply putting "purge-keys P90D;" or "dnssec-policy
> purge-keys P90D;" in options files.
>
> I'm sure it's simple, but simply what?
>
As per the BIND9 ARM section 4.2.21, the purge-keys statement must be contained
within a dnssec-policy statement. A policy such as this one is working well for
me:
dnssec-policy Kreme {
keys {
ksk lifetime P1Y algorithm ECDSA256;
zsk lifetime P3M algorithm ECDSA256;
};
purge-keys 30d;
nsec3param;
};
--
Greg
4.2.21 dnssec-policy Statement Grammar
dnssec-policy {
dnskey-ttl ;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
algorithm [ ]; ... };
max-zone-ttl ;
nsec3param [ iterations ] [ optout ] [
salt-length ];
parent-ds-ttl ;
parent-propagation-delay ;
publish-safety ;
purge-keys ;
retire-safety ;
signatures-refresh ;
signatures-validity ;
signatures-validity-dnskey ;
zone-propagation-delay ;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users