On Thu 28/Oct/2021 09:34:42 +0200 Matthijs Mekking wrote:
On 27-10-2021 18:48, Alessandro Vesely wrote:
3. The server produces new .signed and .signed.jnl files every day, which
is inconvenient as the zone files directory is checked by tripwire. Is
that timing determined by the dnskey-ttl? Wo
On 27-10-2021 18:48, Alessandro Vesely wrote:
3. The server produces new .signed and .signed.jnl files every day,
which is inconvenient as the zone files directory is checked by
tripwire. Is that timing determined by the dnskey-ttl? Would it be
okay to set it to one month?
The zone is sig
Hi Matthijs,
thanks for clarifications.
On Wed 27/Oct/2021 17:53:46 +0200 Matthijs Mekking wrote:
On 27-10-2021 12:54, Alessandro Vesely wrote:
I also switched to dnssec-policy. Somewhere I read that I should have
defined a policy with keys matching the existing keys. I also defined a
"co
Hi Allesandro,
Your policy has three keys:
keys {
ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk key-directory lifetime unlimited algorithm rsasha256 2048;
csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
Two of them require DS rec
Hi all,
I recently installed version 9.16, and have a number of doubts. During the
upgrade, named didn't want to load signed zones because of CDS/CDNSKEY
inconsistency. There were CDS records in the zone files, which I removed.
I also switched to dnssec-policy. Somewhere I read that I shou
Hi Matthijs,
On Mon, Aug 09, 2021 at 11:11:48AM +0200, Matthijs Mekking
wrote:
> Hi raf,
>
> On 09-08-2021 10:08, raf via bind-users wrote:
> > Hi,
> >
> > I've got a bunch of DNSSEC questions.
> > Any advice would be appreciated.
> >
> >
Hi raf,
On 09-08-2021 10:08, raf via bind-users wrote:
Hi,
I've got a bunch of DNSSEC questions.
Any advice would be appreciated.
The context is a little VM with six little zones,
soon to be upgraded to debian-11 and bind-9.16.15.
I haven't signed my zones before but now is the
Hi,
I've got a bunch of DNSSEC questions.
Any advice would be appreciated.
The context is a little VM with six little zones,
soon to be upgraded to debian-11 and bind-9.16.15.
I haven't signed my zones before but now is the time.
I'm going to rotate KSKs annually because it'
On 08/27/2010 11:32 AM, Alan Clegg wrote:
On 8/27/2010 11:42 AM, CT wrote:
Per my isc class and the book I received by Jeremy C. Reid ..
you still need to "include" your keys in the zone file either
via
$include/KSK
$include/ZSK1
$include/ZSK2
or
(cat *.key> allkeys) which is what I have done
I just migrated my dns server to bind 9.7.1-P2
KSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -f KSK $zone
ZSK
dnssec-keygen -r /dev/urandom -a RSASHA256 -b 1024 $zone
SIGN
dnssec-signzone -S -C -g -a -H 10 -3 -K $zone
Per my isc class and the book I received by Jeremy C. Reid ..
you
On 8/27/2010 11:42 AM, CT wrote:
> Per my isc class and the book I received by Jeremy C. Reid ..
> you still need to "include" your keys in the zone file either
>
> via
> $include /KSK
> $include /ZSK1
> $include /ZSK2
> or
> (cat *.key > allkeys) which is what I have done..
> $include /allkeys
>
11 matches
Mail list logo
