<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi people,</p>
<p>I have read <a class="moz-txt-link-freetext" href="https://kb.isc.org/docs/dnssec-key-and-signing-policy">https://kb.isc.org/docs/dnssec-key-and-signing-policy</a></p>
<p>I have put the following policy in my named.conf file:-</p>
<p><font face="monospace">dnssec-policy "ecdsa256-policy" {<br>
signatures-refresh 5d;<br>
signatures-validity 14d;<br>
signatures-validity-dnskey 14d;<br>
dnskey-ttl 3600;<br>
publish-safety 1h;<br>
retire-safety 1h;<br>
purge-keys 10d;<br>
<br>
keys {<br>
ksk lifetime 370d algorithm ecdsa256; // <---- this
part in particular!<br>
zsk lifetime 34d algorithm ecdsa256;<br>
};<br>
<br>
zone-propagation-delay 300s;<br>
max-zone-ttl 86400s;<br>
parent-propagation-delay 1h;<br>
parent-ds-ttl 3600;<br>
};</font><br>
<br>
</p>
<p>I also have some external code that goes trawling for CDS records
and puts into a parent whatever it finds in the child - that in
this case is signed with the above policy stanza.</p>
<p>If the child creates a new CDS - my external scripts will find it
and pop it into the parent as a DS record.<br>
If the child looses a CDS record - my external script will remove
the corresponding DS record from the parent.<br>
Basically - whatever is in the child as a CDS will be in the
parent as a DS.<br>
A null CDS removes all DS records - but that's not my question.<br>
</p>
<p>Is there anything else I need to do? Any additional rndc's ??<br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
<br>
</p>
</div>
</body>
</html>