Hey again!
On 03.03.25 3:18 PM, Matthijs Mekking wrote:
> Hi Bernd,
>
> Sorry for taking a long time to answer these questions:
>
No worries I had/have not time pressure.
>> 1) Timing Options:
>>
>> I didn't grasped yet all the defaults and their calculated interaction
>> when I let `bind9` ma
Hi Bernd,
Sorry for taking a long time to answer these questions:
> 1) Timing Options:
>
> I didn't grasped yet all the defaults and their calculated interaction
> when I let `bind9` manage the signing keys for a zone, which in the end
> is just follows an RFC, if I'm right? I would like to "rep
On 24.02.25 9:47 AM, Matthijs Mekking wrote:
> Hi Bernd,
>
Hey Matthijs,
Why not let us start all over again :) (I really do thank you so much
for taking the time!)
> Non-signing keys (for example a stand-by key), is a bit tricky in
> dnssec-policy and not fully supported.
>
> In 9.18, I woul
On 24-02-2025 11:51, Bernd Naumann wrote:
...
In 9.18, I would suggest to disable inline-signing and just add the
DNSKEY record to the zone. Don't put the key files for the stand-by key
in the 'key-directory', this should only hold signing keys.
Jep I've done that; except "Don't put the ke
On 24.02.25 11:51 AM, Bernd Naumann wrote:
>
> Mhm. But *how* is *everyone else* using DNSSEC then?
>
https://www.ripe.net/manage-ips-and-asns/dns/dnssec/dnssec-policy-and-practice-statement/#DNSSECPolicyandPracticeStatement-KeySigningKeyRoll-over
Does someone know any other good DNSSEC Practic
On 24.02.25 11:22 AM, Matthijs Mekking wrote:
>> But what I don't understand; RFC 7583 explicit mentioned pre-publish of
>> DSDATA of ZSK, but not for KSK (IIUC)?
>
> And I am confused about the phrase "DSDATA of ZSK".
Sorry I'm not fully confident yet about the wording here and there...
I thing
Hi Bernd,
On 24-02-2025 10:12, Bernd Naumann wrote:
Hi Matthijs, thanks for your response.
On 24.02.25 9:47 AM, Matthijs Mekking wrote:
Hi Bernd,
Non-signing keys (for example a stand-by key), is a bit tricky in
dnssec-policy and not fully supported.
Yeah I figured that in the mean time :
Hi Matthijs, thanks for your response.
On 24.02.25 9:47 AM, Matthijs Mekking wrote:
> Hi Bernd,
>
> Non-signing keys (for example a stand-by key), is a bit tricky in
> dnssec-policy and not fully supported.
>
Yeah I figured that in the mean time :/
But what I don't understand; RFC 7583 explic
Hi Bernd,
Non-signing keys (for example a stand-by key), is a bit tricky in
dnssec-policy and not fully supported.
In 9.18, I would suggest to disable inline-signing and just add the
DNSKEY record to the zone. Don't put the key files for the stand-by key
in the 'key-directory', this should o
RFC 7583: DNSSEC Key Rollover Timing Considerations [1]
describes the various roll-over strategies and the key states...
[1] https://www.rfc-editor.org/rfc/rfc7583.html
OpenPGP_signature.asc
Description: OpenPGP digital signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to u
I've followed the ARM and the DNSSEC Guide, as well as some ISC KB blog
posts.
What I got working on BIND 9.18.33:
* adding a dnsssec-policy
* adding a zone using that dnssec-policy
- setting only SOA, NS, and the for NS for a minimal zone
* reload zone
I got an KSK and ZSK; the zone
11 matches
Mail list logo
