Cannot import keys into dnssec-policy
Nguyen Thi Minh Tam
tamntm at vnnic.vn
Wed Mar 26 19:51:51 UTC 2025
"Hi, I'm trying version 9.18.31.
According to the post on https://kb.isc.org/docs/dnssec-key-and-signing-policy, the policy normally generates keys when they are needed. However, we can generate the DNSSEC keys ourselves first, and when the policy requires a new key, it will select the one we created.
There is even an example in that post.
So, I followed that approach. I generated a new key that matches the policy and placed it in the key directory. However, when it was time to roll the key, my key was retired, and the policy generated a new one instead.
Here is my policy:"
dnssec-policy "hosting key" {
dnskey-ttl PT1M;
keys{
ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
zsk key-directory lifetime P30D algorithm RSASHA256 2048;
};
And i run this command to generate the next key:
dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
i even tried
dnssec-keygen -k "hosting key" -l /etc/named.conf -K /data/keys/policy.com/ policy.com
so im pretty sure the new key matches the policy. But still, they all got retired.
Plz help.
Best regards,
Tam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250326/58f93d57/attachment.htm>
More information about the bind-users
mailing list