Hello,
I put the management of DNSSEC with KASP, the zone is well functional. (dig
with "AD" flag etc)
On the other hand, I can't see when the key rollover period for my KSK is
over (2 KSKs with a dig DNSKEY...)
Without KASP, it was easy because I generated the second KSK key but with
KASP, it is managed automatically.
So, I have to adapt my scripts to check that there is :
- a used KSK key and a next KSK key
- Or only one KSK key used (if we are not in rollover phase)
Except that with my current policy, I never see 2 KSKs via a "dig
DNSKEY...".
here is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P7D algorithm ecdsa256;
zsk lifetime P3D algorithm ecdsa256;
};
purge-keys 1d;
publish-safety 3d;
retire-safety 3d;
};
I see either my KSK in use or my next KSK (via "dig DNSKEY...") but never
both at the same time.
Is this a normal behavior or am I doing it wrong?
Regards, Adrien
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
