Hello,
I put the management of DNSSEC with KASP, the zone is well functional. (dig
with "AD" flag etc)
On the other hand, I can't see when the key rollover period for my KSK is
over (2 KSKs with a dig DNSKEY...)
Without KASP, it was easy because I generated the second KSK key but with
KASP, it i
' or set up parental-agents to do it for you.
>
> Best regards,
>
> Matthijs
>
> On 1/17/23 09:38, adrien sipasseuth wrote:
> > Hello,
> >
> > I put the management of DNSSEC with KASP, the zone is well functional.
> > (dig with "AD" flag et
s that right?
>
> In addition to the DNSKEY TTL yes. The successor KSK should be
> pre-published the sum of dnskey-ttl, publish-safety, and
> zone-propagation-delay, prior to its retirement.
>
> Best regards,
>
> Matthijs
>
> On 1/24/23 09:08, adrien sipasseuth wrot
NSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
Regards Adrien
Le mar. 24 janv. 2023 à 15:18, adrien sipasseuth <
sipasseuth.adr...@gmail.com> a écrit :
> Hello,
>
> I don't why DSState: hidden, it's ok with some online check tools like
a écrit :
>
>
> On 1/24/23 15:18, adrien sipasseuth wrote:
> > Hello,
> >
> > I don't why DSState: hidden, it's ok with some online check tools like :
> > - https://dnssec-analyzer.verisignlabs.com/
> > <https://dnssec-analyzer.verisignlabs.com/&
19:49, Nick Tait via bind-users <
> bind-users@lists.isc.org> wrote:
> >
> > On 9/02/23 05:17, adrien sipasseuth wrote:
> >> so it works BUT I need to know more than 48h in advance that the
> rollover is starting to submit the new KSK to my registar.
> >
## question 3 #
In state file, when the remove date issue, can i just remove the key,
anything else to do ?
Regards,
Adrien SIPASSEUTH
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with pai
withdraw )" and wait until all RRSIG sign (with
the old KSK) expire. In that case, how can i check this ? (some dig command
? or check state file for "DSState: unretentive" ?)
regards,
Adrien
Le ven. 17 mai 2024 à 15:13, Matthijs Mekking a écrit :
> Hi,
>
> On 5/16/24
copied on each slaves?
There some tuto / documentation about how to setup KASP in master / slaves
topology ?
Sorry if it's not enough clear...
Thank you
*Adrien SIPASSEUTH*
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of
should **not** copy the dnssec-policy configuration to your
> secondaries. They transfer in the signed zone from the primary server.
>
> Best regards,
>
> Matthijs
>
>
> On 12/9/22 09:24, adrien sipasseuth wrote:
> > Hello,
> >
> >
> > Lokking for some gui
imary zones. So
>
> zone "***" {
>type secondary;
> primaries { ***; };
>file "***.db";
> };
>
> is enough.
>
> Best regards,
>
> Matthijs.
>
> On 12/9/22 09:58, adrien sipasseuth wrote:
> > Hi Matthijs,
> &
Hi,
Ok, I got confused, no need for the keys on the slavs actually.
On the other hand, my slaves should generate the .signed, .signed.jnl and
.jbk files of my zones, no? currently it is not my case, should I copy them
from the master?
moreover, when I test a "dig A" I don't have the associated R
nssec-guide.html#using-dig-to-verify
>
> My “flags” line does not show the “ad” flag as this is just a set of
> private servers on a local lan. I can’t submit the DNSSEC details upstream
> as described here:
>
>
> https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#up
Hello,
In KASP poliicy, How to determine the pre-publication time, i found these
parameters :
- publish-safety
- retire-safety
- purge-keys
In my understanding, the next key is pre-publish at publish-safety +
retire-safety ?
Regards
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
50221113816 (Fri Feb 21 12:38:16 2025)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
So when can i "archive" / remove from file system my expired KSK ?
Regards,
Adrien SIPASSEUTH
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
15 matches
Mail list logo
