[DNSSEC] testing KASP

[adrien sipasseuth]

Hello,

I try to set up a testing environment in order to create some scripts for
automated the roll over KSK.

############# question 1 #############
this is my policy :

dnssec-policy "test" {
    keys {
        ksk lifetime P3D algorithm ecdsa256 2048;
        zsk lifetime P1D algorithm ecdsa256 2048;
    };

    // Key timings
    purge-keys P4D;

    // Signature timings
    signatures-refresh  PT50M;
    signatures-validity PT1H;
    signatures-validity-dnskey PT1H;

    // Zone parameters
    max-zone-ttl PT1H;
    parent-ds-ttl PT1H;

};

I would like automaticly update new DS to my registar, to do it this my
logic :
For each file en .state
    If is KSK with "DSState: rumoured" or "DSState: hidden"
        If not in my registar (dig ds <my_zone> +dnssec +multiline)
            Publish on my Registar(api register)
            Notify Bind(bind rndc dnssec -checkds -key <ID> published
<my_zone>)

Do y need to withdraw the old key too immediatly ? anything else to do ?

############# question 2 #############
If i want to unsigned a zone, i change my policy to "insecure" which is
default but file like <my_zone>.signed still exist, Bind doesn't remove it ?

############# question 3 #############

In state file, when the remove date issue, can i just remove the key,
anything else to do ?

Regards,
Adrien SIPASSEUTH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240516/0b535545/attachment.htm>