On 26-04-2022 14:25, Bjørn Mork wrote:
Matthijs Mekking writes:
What can you do to get it to "omnipresent"? Tell BIND that the DS is
in the parent (only do so if it is true of course). You can run
rndc dnssec -checkds published your.zone
And it should update the keyfile. You should
Matthijs Mekking writes:
> What can you do to get it to "omnipresent"? Tell BIND that the DS is
> in the parent (only do so if it is true of course). You can run
>
> rndc dnssec -checkds published your.zone
>
> And it should update the keyfile. You should then see a "DsPublish"
> line in
Bjørn,
Perhaps you hit another quirk in the migration. I'll try to explain what
is happening, or what is supposed to happen.
When migrating to dnssec-policy, there are no state files. BIND tries to
deduce the state from the timing metadata and the durations from
dnssec-policy.
For the DS,
Matthijs Mekking writes:
> To be precise, BIND updates the key files each keymgr run. But If the
> keymgr waits for an event (rather than a duration), it will retry
> every refresh key interval, which defaults to an hour.
>
> You can check the logs for "next key event" to see when the keymgr is
>
Hi,
To be precise, BIND updates the key files each keymgr run. But If the
keymgr waits for an event (rather than a duration), it will retry every
refresh key interval, which defaults to an hour.
You can check the logs for "next key event" to see when the keymgr is
scheduled next.
But yes,
On Sun, Apr 24, 2022 at 11:58:44AM +0200, Bjørn Mork wrote:
Hello,
> I recently moved a few zones from "auto-dnssec maintain" to
> "dnssec-policy ..." to prepare for simpler/automatic key rotation in the
> future.
>
> For the time being I have configured my policy with separate KSK and ZSK
> and
Hello,
I recently moved a few zones from "auto-dnssec maintain" to
"dnssec-policy ..." to prepare for simpler/automatic key rotation in the
future.
For the time being I have configured my policy with separate KSK and ZSK
and unlimited key life times to replicate the old setup as closely as
possib
7 matches
Mail list logo
