[dns-operations] About KASP

[David Njuki]

Hi Daniel,

>From my understanding of KASP implementation, a double signature signing
during the KSK rollover should have you covered.
You can have the existing and the new KSK at the same time and remove the
old one once it has expired.
By implication, the chain of trust should still hold for your applications.

How much time now depends on what you have set on your policy.

Regards,
David


On Mon, 26 Jun 2023 at 17:22, daniel majela <dmajela at gmail.com> wrote:

> Hey guys....
>
> I'm testing KASP...bind9 9.16.23
> I created a policy like this...
> dnssec-policy "my-policy" {
>      dnskey-ttl 3600;
>      keys {
>          ksk lifetime P1Y algorithm ecdsap256sha256;
>          zsk lifetime 60d algorithm ecdsap256sha256;
>      };
>      nsec3param iterations 0 opt at salt-length 8;
>
> The KSK and ZSK key generation were created correctly and I kept the
> "inline-signing yes" line.
> My doubt is the following.
> Every 2 months the ZSK replaces the keys automatically and I shouldn't
> have any problems correct?
> Every 1 year the KSK key will be replaced and I will have to observe the
> new HASH value and configure it in mine (registro.br). My doubt is
> whether my applications within the zone that generated a new ksk key will
> be outside? How much time do I have to replace the hash value in (
> registro.br)? I couldn't understand that.... there are many zones that I
> have and how to manage that "tomorrow" a KSK will expire.
> Thanks.
>
> --
> Daniel Majela Galvão
> http://br.linkedin.com/pub/daniel-souza/6/1b1/774
>
> (55-012) - 9-8201-9885
> (55-012) - 9-9761-1511
> (55-012) - 32076909
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230626/6baf4a83/attachment.html>