> On 28. 9. 2024, at 1:31, Terik Erik Ashfolk wrote:
>
> and during consideration i was using a dnssec-policy opPolicy2W with KSK
> changing every 20 days, & ZSK every 10 days.
>
> Now I changed to another dnssec-policy opPolicy3M : KSK changing every ~ 3
> months & ZSK every 22 days.
Just d
Does the BIND have command/parameter for configuring+running BIND
in Multi-Signer MODEL-2 mode as specified in RFC 8901 ?
https://www.rfc-editor.org/rfc/rfc8901.html
in another words, Can BIND itself handle multiple-provider's (aka:
multiple-nameserver's) KSKs, ZSKs, DNSKEYs, etc RRsets and
cr
Hi Ondrej. THANK YOU.
I understand what you have suggested.
I considered that earlier : it would've increased 1 more server
rent cost, and additional setup, maintenance/update, etc times, ...
and during consideration i was using a dnssec-policy opPolicy2W
with KSK changing every 20 days, & ZSK e
You need to remember multi-signer still has a lot of hand waving in its
specification. All the coordination between operators is unspecified.
Things like how you generate CDS automatically is undefined. A pre CDS (PCDS)
record with an signer tag and signer count before the CDS data would work
According to the page
https://blog.apnic.net/2021/08/25/multi-signer-dnssec-models/
in MODEL 2.
I added an improved image as attachment.
MULTI-ZSK-SIGNING IS ONE OF THE SOLUTION, and appears to be
suitable for my case.
So, multi-signing with ZSKs from multiple nameservers would have
worked,
5 matches
Mail list logo
