Will auto-dnssec perform full KSK rollovers?
Patrick H. Piper
ppiper at netlinxinc.com
Wed Feb 17 15:12:32 UTC 2010
When testing auto-dnssec set to maintain, I am seeing the keys get adjusted
according to their -R <revoke_time> -I <inactive_time> and -D <delete_time>.
Should I also see new KSKs be generated and used in the signing process? Or
do you have to manually drop in new keys? It wasn't clear to me what should
happen...
My named.conf file has the following...
zone "example.net" {
auto-dnssec maintain;
type master;
update-policy local;
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
And as I said, when I build Keys, they automatically sign the zone at named
startup. I see them age out, and removed from the zone, but I don't see any
evidence that new Keys are generated to re-sign the zone.
Thanks
Patrick H. Piper
NETLINX, Inc.
ppiper at netlinxinc.com
www.netlinxinc.com
435-649-3367 (office) | 980-721-7694 (cell)
More information about the bind-workers
mailing list