Hi people,
I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy
I have put the following policy in my named.conf file:-
dnssec-policy "ecdsa256-policy" {
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
purge-keys 10d;
keys {
ksk lifetime 370d algorithm ecdsa256; // <---- this part in
particular!
zsk lifetime 34d algorithm ecdsa256;
};
zone-propagation-delay 300s;
max-zone-ttl 86400s;
parent-propagation-delay 1h;
parent-ds-ttl 3600;
};
I also have some external code that goes trawling for CDS records and
puts into a parent whatever it finds in the child - that in this case is
signed with the above policy stanza.
If the child creates a new CDS - my external scripts will find it and
pop it into the parent as a DS record.
If the child looses a CDS record - my external script will remove the
corresponding DS record from the parent.
Basically - whatever is in the child as a CDS will be in the parent as a DS.
A null CDS removes all DS records - but that's not my question.
Is there anything else I need to do? Any additional rndc's ??
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.826010496 <tel:+27826010496>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
