Hi Daniel Thanks for your answer. It's your "fault" that I'm doing dnssec stuff and posting here, I saw your speech at SwiNOG 😊
>If your keys have appropriate timing metadata, then the CDS/CDNSKEY >records are published for your zones automatically: > >See man dnssec-keygen >... >Timing options: > -P date/[+-]offset/none: set key publication date (default: now) > -P sync date/[+-]offset/none: set CDS and CDNSKEY publication date > -A date/[+-]offset/none: set key activation date (default: now) > -R date/[+-]offset/none: set key revocation date > -I date/[+-]offset/none: set key inactivation date > -D date/[+-]offset/none: set key deletion date > -D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date > >or man dnssec-settime > >> And every time I create or activate new keys, I have to manually add the >> CDS records, right? > >Not if your keys have the appropriate timing metadata. Ok, I'll definitely have to re-read the dnssec-keygen and -settime manpages and playing around. The keys I generated (with the -a -b and -3 option provided) I don't see a CDS or CDNSKEY in the signed file. I probably have to use the -Psync <date> option Best regards and "schöne Festtage" Philippe _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
