[dns-operations] About KASP
daniel majela
dmajela at gmail.com
Mon Jun 26 13:19:04 UTC 2023
Hey guys....
I'm testing KASP...bind9 9.16.23
I created a policy like this...
dnssec-policy "my-policy" {
dnskey-ttl 3600;
keys {
ksk lifetime P1Y algorithm ecdsap256sha256;
zsk lifetime 60d algorithm ecdsap256sha256;
};
nsec3param iterations 0 opt at salt-length 8;
The KSK and ZSK key generation were created correctly and I kept the
"inline-signing yes" line.
My doubt is the following.
Every 2 months the ZSK replaces the keys automatically and I shouldn't have
any problems correct?
Every 1 year the KSK key will be replaced and I will have to observe the
new HASH value and configure it in mine (registro.br). My doubt is whether
my applications within the zone that generated a new ksk key will be
outside? How much time do I have to replace the hash value in (registro.br)?
I couldn't understand that.... there are many zones that I have and how to
manage that "tomorrow" a KSK will expire.
Thanks.
--
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774
(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230626/40a181f4/attachment.html>
More information about the dns-operations
mailing list