Hi Mark,
On 24-11-2022 13:44, Mark Elkins via bind-users wrote:
OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance
There are two interesting paragraphs.
_/5. CDS/CDNSKEY Publication/_/
//
// The Child DNS Operator publishes CDS/CDNSKEY RRset(s). In order to//
//
OK - so I read RFC7344... Automating DNSSEC Delegation Trust Maintenance
There are two interesting paragraphs.
_/5. CDS/CDNSKEY Publication/_/
//
// The Child DNS Operator publishes CDS/CDNSKEY RRset(s). In order to//
// be valid, the CDS/CDNSKEY RRset(s) MUST be compliant with the
:-) Will let you know in a year!
ps - please, please keep the CDS's in the child zone - reflecting the
current KSK's! (etc)
On 2022/11/24 09:50, Matthijs Mekking wrote:
Hi,
I think this should work with some caveats.
First, If you migrate to dnssec-policy (that is the zone is already
Hi,
I think this should work with some caveats.
First, If you migrate to dnssec-policy (that is the zone is already
signed), make sure that the key properties match the current DNSKEYs.
Second is about your script:
> If the child looses a CDS record - my external script will remove the
>
Hi people,
I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy
I have put the following policy in my named.conf file:-
dnssec-policy "ecdsa256-policy" {
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
dnskey-ttl 3600;
5 matches
Mail list logo
