>> My experience with changing the timing metadata or removing the key
>> files is that named issues a warning like the following: zone /IN:
>> Key // missing or inactive and has no
>> replacement: retaining signatures. In this circumstance none of the
>> RRSIGs or NSECs are removed. They sit the
Spain, Dr. Jeffry A. wrote:
>
> My experience with changing the timing metadata or removing the key
> files is that named issues a warning like the following: zone /IN:
> Key // missing or inactive and has no
> replacement: retaining signatures. In this circumstance none of the
> RRSIGs or NSECs a
I propose the following addition to the Bv9ARM, and request review and comment
by the experts on this list.
--
4.9.14 DNSKEY Algorithm Rollover
>From time to time new digital signature algorithms with improved security are
>introduced, and it may be desirable for administrators to roll
>> I discovered that if there was not at least one KSK and ZSK of the same
>> algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life
>> of one year and ZSK of one month, effectively to roll a key algorithm and
>> without forcing the roll-over by removing all the old key/algor
> I discovered that if there was not at least one KSK and ZSK of the same
> algorithm, dnssec-signzone would fail. If one goes with defaults, KSK life of
> one year and ZSK of one month, effectively to roll a key algorithm and
> without forcing the roll-over by removing all the old key/algorithm
> I don't think that bind trying to sign with non-existent key will do any harm
> - probably just warning.
> But it's simpler - change metadata of the key - set deletion time to the time
> you want the key to be deleted (like DS deletion time+TTL).
> Bind with auto-dnnsec allow re-reads the metad
On Sat, 2012-06-23 at 22:34 +, Spain, Dr. Jeffry A. wrote:
> I'm experimenting with rolling over my DNSKEYs from algorithm 7 to 8.
> The Bv9ARM doesn't discuss this procedure explicitly as far as I can
> tell, but section 4.9 presents some clues. I'd like to ask the experts
> on this list if th
Hello.
I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata
8 matches
Mail list logo
