[dns-operations] About KASP

daniel majela dmajela at gmail.com
Tue Jun 27 02:30:02 UTC 2023


Hello David....

Do you mean "double signature"?
I will try to find more about it.
Thank you very much.

Em seg., 26 de jun. de 2023 às 11:49, David Njuki <njukey at gmail.com>
escreveu:

> Hi Daniel,
>
> From my understanding of KASP implementation, a double signature signing
> during the KSK rollover should have you covered.
> You can have the existing and the new KSK at the same time and remove the
> old one once it has expired.
> By implication, the chain of trust should still hold for your
> applications.
>
> How much time now depends on what you have set on your policy.
>
> Regards,
> David
>
>
> On Mon, 26 Jun 2023 at 17:22, daniel majela <dmajela at gmail.com> wrote:
>
>> Hey guys....
>>
>> I'm testing KASP...bind9 9.16.23
>> I created a policy like this...
>> dnssec-policy "my-policy" {
>>      dnskey-ttl 3600;
>>      keys {
>>          ksk lifetime P1Y algorithm ecdsap256sha256;
>>          zsk lifetime 60d algorithm ecdsap256sha256;
>>      };
>>      nsec3param iterations 0 opt at salt-length 8;
>>
>> The KSK and ZSK key generation were created correctly and I kept the
>> "inline-signing yes" line.
>> My doubt is the following.
>> Every 2 months the ZSK replaces the keys automatically and I shouldn't
>> have any problems correct?
>> Every 1 year the KSK key will be replaced and I will have to observe the
>> new HASH value and configure it in mine (registro.br). My doubt is
>> whether my applications within the zone that generated a new ksk key will
>> be outside? How much time do I have to replace the hash value in (
>> registro.br)? I couldn't understand that.... there are many zones that I
>> have and how to manage that "tomorrow" a KSK will expire.
>> Thanks.
>>
>> --
>> Daniel Majela Galvão
>> http://br.linkedin.com/pub/daniel-souza/6/1b1/774
>>
>> (55-012) - 9-8201-9885
>> (55-012) - 9-9761-1511
>> (55-012) - 32076909
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>

-- 
Daniel Majela Galvão
http://br.linkedin.com/pub/daniel-souza/6/1b1/774

(55-012) - 9-8201-9885
(55-012) - 9-9761-1511
(55-012) - 32076909
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230626/26d44cc4/attachment.html>


More information about the dns-operations mailing list