Re: key dir massive
On 12/22/22 16:23, Eric Germann wrote:
On Dec 22, 2022, at 09:32, Matthijs Mekking wrote:
I hope you have read our KB article on dnssec-policy before migrating:
https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
It should list the main pitfalls to save you a lot of hassle (I suspect you
started algorithm rollover immediately when changing to dnssec-policy default).
If there are any things we should add, I am happy to receive your suggestions.
Are there any examples from ISC on how to handle multiple algorithms in the
dnssec-policy stanza? I’m running 8 and 13 both as an experiment
Eric
Just list the keys you want. So for example double algorithm, zsk and ksk:
dnssec-policy {
# RSASHA256
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P1M algorithm 8;
# ECDSAP256SHA256
ksk key-directory lifetime P1Y algorithm 13;
zsk key-directory lifetime P1M algorithm 13;
};
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: key dir massive
> On Dec 22, 2022, at 09:32, Matthijs Mekking wrote: > > > I hope you have read our KB article on dnssec-policy before migrating: > > https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy > > It should list the main pitfalls to save you a lot of hassle (I suspect you > started algorithm rollover immediately when changing to dnssec-policy > default). > > If there are any things we should add, I am happy to receive your suggestions. Are there any examples from ISC on how to handle multiple algorithms in the dnssec-policy stanza? I’m running 8 and 13 both as an experiment Eric -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key dir massive
Hi Edwardo, On 12/22/22 05:01, Edwardo Garcia wrote: Hi, I recently upgraded from 9.16 to latest version and changed a zone, ran verisign test and it said all good, so changed my zones from auto maintain dnssec to dnssec policy default, what a nightmare, most our zones vanished few hours later for a day, and it create new keys for everything, this bug i saw was fixed many versions ago, should it not see my have keys and re-use them (keys were made a year ago on current at the time v9.11, we upgrade to 9.16 in July and no issue till these option name change rubbish. I was warned by colleagues not to do this as they too say migration nightmares, but I am my own person and now I regret not listening their advise. I hope you have read our KB article on dnssec-policy before migrating: https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy It should list the main pitfalls to save you a lot of hassle (I suspect you started algorithm rollover immediately when changing to dnssec-policy default). If there are any things we should add, I am happy to receive your suggestions. Now I think is under control, once identifying the current key set, is it safe to manually delete all the others keys privates and states, except the current one, and will any of that DS change again? Probably, without knowing your current state of things it is hard to give a more confident answer. Setting 'purge-keys' inside your 'dnssec-policy' is probably your best bet for the future. By default, no longer used keys are deleted from disk after 90 days. Best regards, Matthijs -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
