Dnssec-policy Purge-keys
Greg Rivers
gcr+bind-users at tharned.org
Mon Apr 12 07:07:14 UTC 2021
On Monday, 12 April 2021 01:18:11 CDT @lbutlr via bind-users wrote:
> Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and all I can find is notes that it was added. I've tried a couple of things, but I am shooting in the dark. I cannot redefine the "default" policy as that gives and error and simply putting "purge-keys P90D;" or "dnssec-policy purge-keys P90D;" in options files.
>
> I'm sure it's simple, but simply what?
>
As per the BIND9 ARM section 4.2.21, the purge-keys statement must be contained within a dnssec-policy statement. A policy such as this one is working well for me:
dnssec-policy Kreme {
keys {
ksk lifetime P1Y algorithm ECDSA256;
zsk lifetime P3M algorithm ECDSA256;
};
purge-keys 30d;
nsec3param;
};
--
Greg
4.2.21 dnssec-policy Statement Grammar
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [
salt-length <integer> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;
purge-keys <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-propagation-delay <duration>;
};
More information about the bind-users
mailing list