Hi, I'm trying to automate key rollover with BIND 9.9.2 (will soon upgrade to new rev). I have a couple of elementary questions that seem to be answered briefly in the documentation, but I suspect that my grasp of key rollover is clouded by the last decade of blog posts about tools and techniques that are no longer necessary.
I have a test zone set with "auto-dnssec maintain" and "inline-signing yes". My zone gets signed, RRSIGs get generated, and so on. The 9.9 ARM says at 4.9.7 that named will automatically carry out the key rollover. Does this include creation of new key files? When the KSK rolls over, do I need to update my registrar? Or does that happen automatically? (I see hints that the root servers pick up the new DS record, but that seems too good to be true.) By default, keys have no expiration date. I'm assuming I must set an expiration date on the ZSK and KSK for named to automatically create the new key? As a test, I've set my test zone ZSK with a fairly short time to expire. dnssec-settime -I +7d -D +14d Kabsolutenetbsd.com.+005+39543 named hasn't created a new ZSK, however. Should I expect it to? Or is there some other document I need to read? Thanks, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@michaelwlucas.com, Twitter @mwlauthor _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
