Dnssec-policy Purge-keys

Greg Rivers gcr+bind-users at tharned.org
Mon Apr 12 07:07:14 UTC 2021

On Monday, 12 April 2021 01:18:11 CDT @lbutlr via bind-users wrote:
> Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and all I can find is notes that it was added. I've tried a couple of things, but I am shooting in the dark. I cannot redefine the "default" policy as that gives and error and simply putting "purge-keys P90D;" or "dnssec-policy purge-keys P90D;" in options files.
> I'm sure it's simple, but simply what?
As per the BIND9 ARM section 4.2.21, the purge-keys statement must be contained within a dnssec-policy statement. A policy such as this one is working well for me:

dnssec-policy Kreme {
	keys {
		ksk lifetime P1Y  algorithm ECDSA256;
		zsk lifetime P3M  algorithm ECDSA256;
	purge-keys 30d;


4.2.21 dnssec-policy Statement Grammar

dnssec-policy <string> {
	dnskey-ttl <duration>;
	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
		<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
	max-zone-ttl <duration>;
	nsec3param [ iterations <integer> ] [ optout <boolean> ] [
		salt-length <integer> ];
	parent-ds-ttl <duration>;
	parent-propagation-delay <duration>;
	publish-safety <duration>;
	purge-keys <duration>;
	retire-safety <duration>;
	signatures-refresh <duration>;
	signatures-validity <duration>;
	signatures-validity-dnskey <duration>;
	zone-propagation-delay <duration>;

More information about the bind-users mailing list