Still seeing some ALG-7 DNSSE

@lbutlr kremels at
Sat Apr 10 23:22:51 UTC 2021

On 06 Apr 2021, at 01:13, Matthijs Mekking <matthijs at> wrote:
> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.

Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.

Or do I add a 

dnssec-policy "default" {
  purge-keys 30; // (or is that field seconds?)

Or will that mess up the predefined for default?

'There has to be enough light,' he panted, 'to see the darkness.'

More information about the bind-users mailing list