Dnssec-policy Purge-keys

Greg Rivers via bind-users

2021-04-12 07:07:14 UTC

Post by @lbutlr via bind-users
Doe anyone know the syntax for using purge-keys in 9.16.13? I've search and all I can find is notes that it was added. I've tried a couple of things, but I am shooting in the dark. I cannot redefine the "default" policy as that gives and error and simply putting "purge-keys P90D;" or "dnssec-policy purge-keys P90D;" in options files.
I'm sure it's simple, but simply what?

As per the BIND9 ARM section 4.2.21, the purge-keys statement must be contained within a dnssec-policy statement. A policy such as this one is working well for me:

dnssec-policy Kreme {
keys {
ksk lifetime P1Y algorithm ECDSA256;
zsk lifetime P3M algorithm ECDSA256;
};
purge-keys 30d;
nsec3param;
};
--
Greg

4.2.21 dnssec-policy Statement Grammar

dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
<duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [
salt-length <integer> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
publish-safety <duration>;
purge-keys <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-propagation-delay <duration>;
};

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users