Hi,
This is a topic better suited at [email protected], but I'll
respond here inline.
On 6/26/23 15:19, daniel majela wrote:
Hey guys....
I'm testing KASP...bind9 9.16.23
I created a policy like this...
dnssec-policy "my-policy" {
dnskey-ttl 3600;
keys {
ksk lifetime P1Y algorithm ecdsap256sha256;
zsk lifetime 60d algorithm ecdsap256sha256;
};
nsec3param iterations 0 opt at salt-length 8;
The KSK and ZSK key generation were created correctly and I kept the
"inline-signing yes" line.
My doubt is the following.
Every 2 months the ZSK replaces the keys automatically and I shouldn't
have any problems correct?
Correct.
Every 1 year the KSK key will be replaced and I will have to observe the
new HASH value and configure it in mine (registro.br
<http://registro.br>). My doubt is whether my applications within the
zone that generated a new ksk key will be outside? How much time do I
have to replace the hash value in (registro.br <http://registro.br>)? I
couldn't understand that.... there are many zones that I have and how to
manage that "tomorrow" a KSK will expire.
After introducing a new KSK, after some time a CDS/CDNSKEY record will
be added to the zone. The rollover will not continue until you tell BIND
9 that the DS (a.k.a. the hash value) is in the parent.
After you have seen the DS in the parent, you should use 'rndc' to tell so:
rndc dnssec -checkds published -key <keyid> <zone>
If you replaced the DS in the parent, also tell BIND so with:
rndc dnssec -checkds withdrawn -key <keyid> <zone>
Alternatively you can set up parental-agents that will query those
servers for the DS RRset during KSK rollover.
Best regards,
Matthijs
Thanks.
--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774
<http://br.linkedin.com/pub/daniel-souza/6/1b1/774>
(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
