On 12/22/22 16:23, Eric Germann wrote:
On Dec 22, 2022, at 09:32, Matthijs Mekking <matth...@isc.org> wrote:
</snip>
I hope you have read our KB article on dnssec-policy before migrating:
https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
It should list the main pitfalls to save you a lot of hassle (I suspect you
started algorithm rollover immediately when changing to dnssec-policy default).
If there are any things we should add, I am happy to receive your suggestions.
Are there any examples from ISC on how to handle multiple algorithms in the
dnssec-policy stanza? I’m running 8 and 13 both as an experiment
Eric
Just list the keys you want. So for example double algorithm, zsk and ksk:
dnssec-policy {
# RSASHA256
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P1M algorithm 8;
# ECDSAP256SHA256
ksk key-directory lifetime P1Y algorithm 13;
zsk key-directory lifetime P1M algorithm 13;
};
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users