[dns-operations] About KASP

daniel majela dmajela at gmail.com
Mon Jun 26 13:19:04 UTC 2023


Hey guys....

I'm testing KASP...bind9 9.16.23
I created a policy like this...
dnssec-policy "my-policy" {
     dnskey-ttl 3600;
     keys {
         ksk lifetime P1Y algorithm ecdsap256sha256;
         zsk lifetime 60d algorithm ecdsap256sha256;
     };
     nsec3param iterations 0 opt at salt-length 8;

The KSK and ZSK key generation were created correctly and I kept the
"inline-signing yes" line.
My doubt is the following.
Every 2 months the ZSK replaces the keys automatically and I shouldn't have
any problems correct?
Every 1 year the KSK key will be replaced and I will have to observe the
new HASH value and configure it in mine (registro.br). My doubt is whether
my applications within the zone that generated a new ksk key will be
outside? How much time do I have to replace the hash value in (registro.br)?
I couldn't understand that.... there are many zones that I have and how to
manage that "tomorrow" a KSK will expire.
Thanks.

-- 
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774

(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230626/40a181f4/attachment.html>


More information about the dns-operations mailing list