key rollover with BIND 9.9
Spain, Dr. Jeffry A.
spainj at countryday.net
Sat Jan 26 17:14:10 UTC 2013
> What are other people using to automate key rollovers with 9.9?
Michael: I automated mine by generating a set of 9 ZSKs and 2 KSKs for each zone in advance, setting the timing metadata to achieve a 90-day prepublication rollover cycle for the ZSKs and a 720-day rollover cycle for the KSKs. Once the keys are copied to a zone's key directory, bind takes care of the rollovers automatically. My domain registrar is GoDaddy.com, so I have to manually upload the DS records for the KSKs, but I only have a few domains, and the manual process is required only at 2-year intervals. I have a bash script that generates the keys and DS records using ISC's dnssec-keygen and dnssec-dsfromkey. Please contact me off list if you want a copy of it. Regards, Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list