Hello David.... Do you mean "double signature"? I will try to find more about it. Thank you very much.
Em seg., 26 de jun. de 2023 às 11:49, David Njuki <[email protected]> escreveu: > Hi Daniel, > > From my understanding of KASP implementation, a double signature signing > during the KSK rollover should have you covered. > You can have the existing and the new KSK at the same time and remove the > old one once it has expired. > By implication, the chain of trust should still hold for your > applications. > > How much time now depends on what you have set on your policy. > > Regards, > David > > > On Mon, 26 Jun 2023 at 17:22, daniel majela <[email protected]> wrote: > >> Hey guys.... >> >> I'm testing KASP...bind9 9.16.23 >> I created a policy like this... >> dnssec-policy "my-policy" { >> dnskey-ttl 3600; >> keys { >> ksk lifetime P1Y algorithm ecdsap256sha256; >> zsk lifetime 60d algorithm ecdsap256sha256; >> }; >> nsec3param iterations 0 opt at salt-length 8; >> >> The KSK and ZSK key generation were created correctly and I kept the >> "inline-signing yes" line. >> My doubt is the following. >> Every 2 months the ZSK replaces the keys automatically and I shouldn't >> have any problems correct? >> Every 1 year the KSK key will be replaced and I will have to observe the >> new HASH value and configure it in mine (registro.br). My doubt is >> whether my applications within the zone that generated a new ksk key will >> be outside? How much time do I have to replace the hash value in ( >> registro.br)? I couldn't understand that.... there are many zones that I >> have and how to manage that "tomorrow" a KSK will expire. >> Thanks. >> >> -- >> Daniel Majela Galvão >> http://br.linkedin.com/pub/daniel-souza/6/1b1/774 >> >> (55-012) - 9-8201-9885 >> (55-012) - 9-9761-1511 >> (55-012) - 32076909 >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> > -- Daniel Majela Galvão http://br.linkedin.com/pub/daniel-souza/6/1b1/774 (55-012) - 9-8201-9885 (55-012) - 9-9761-1511 (55-012) - 32076909
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
