[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Still seeing some ALG-7 DNSSE
From: " () lbutlr" <kremels () kreme ! com>
Date: 2021-04-12 9:46:03
Message-ID: 5514C856-979C-4123-9CED-DF825E8A764E () kreme ! com
[Download RAW message or body]
> On 12 Apr 2021, at 01:12, Matthijs Mekking <matthijs@isc.org> wrote:
>
>
>
> On 11-04-2021 01:22, @lbutlr wrote:
> > On 06 Apr 2021, at 01:13, Matthijs Mekking <matthijs@isc.org> wrote:
> > > In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By \
> > > default the keys are retained for 90 days after their latest usage. So in that \
> > > case keys will be cleaned up automatically.
> > Excellent. Does that go in the zone record with default, or does it replace \
> > default> I don't see the syntax in the release notes.
>
> If you don't set "purge-keys" it will be retained for 90 days. Otherwise, set it \
> inside the 'dnssec-policy' you are using. In other words, If you want something \
> else, use this:
> dnssec-policy "myway" {
> purge-keys P30D;
> ...
> // other policy options
> };
I am using dnssec-policy default, not my own dnssec policy
> > Or do I add a
> > dnssec-policy "default" {
> > purge-keys 30; // (or is that field seconds?)
> > }
> > Or will that mess up the predefined for default?
>
> First, you cannot (re)configure "default" policy, it is a builtin policy.
I found that out, yes.
> You can configure a new policy and just add a single option "purge-keys". Zones \
> with that policy will act the same as the default policy except for how long to \
> retain keys.
So, I have to add a new policy to every zone? That's annoying. I was hoping to force \
the old keys to go away faster.
> The field is a ttl value or a ISO 8601 duration. So a number is treated as seconds. \
> If you want 30 days, use 30d or P30D.
Thank you, I may just wait and see what happens. Though no alg-7 files have been \
deleted yet, even for domains that are not reporting any alg-6 o dnsviz (and they are \
updated every hour) along with the lag-13 key.
--
I CAN BE ROBBED BUT NEVER DENIED, I TOLD MYSELF. WHY WORRY? 'I too
cannot be cheated,' snapped Fate. SO I HAVE HEARD.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
this list
ISC funds the development of this software with paid support subscriptions. Contact \
us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic