...
 
Commits (14)
......@@ -3,3 +3,4 @@
*~
config.ini
dnssec_keys_management.ini
This diff is collapsed.
This diff is collapsed.
[dnssec]
# Directory where dnssec keys will be stored
# Directory where dnssec keys will be stored. This directory will contain on subdirectory per DNS
# zone, containing dnssec keys.
base_directory=/etc/bind/keys
# Interval between 2 operations on the dns keys.
......@@ -7,7 +8,7 @@ base_directory=/etc/bind/keys
# disabled when KEY2 is activated, KEY1 is deleted INTERVAL after being disabled.
# INTERVAL MUST be greater than the longest TTL DS records can have.
# INTERVAL MUST also be higher than the bind signature interval (default 22.5 days)
# This partially depents of the parent zone configuration and you do not necessarily have
# This partially depends of the parent zone configuration and you do not necessarily have
# control over it.
interval=23
......@@ -17,7 +18,6 @@ interval=23
# dnssec_keys_management.py -c is called at least once a day.
zsk_validity=30
# Time after which a new KSK is generated and published for the zone (and activated after INTERVAL).
# The old key is removed only INTERVAL after the new key was dnssec_keys_management.py --ds-seen.
# This usually requires a manual operation with the registrar (publish DS of the new key
......@@ -25,10 +25,23 @@ zsk_validity=30
# to be called and has not yet be called
ksk_validity=366
# Algorithm used to generate new keys.
# Algorithm used to generate new keys. Only the first created KSK and ZSK of a zone will use
# this algorithm. Any renewing key will use the exact same parameters (name, algorithm, size,
# and type) as the renewed key.
# Valid algorithms are RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384.
algorithm=RSASHA256
# Size of the created KSK. Only the first created KSK of a zone will use this size.
# Any renewing key will use the exact same parameters (name, algorithm, size, and type)
# as the renewed key.
ksk_size=2024
# Size of the created ZSK. Only the first created ZSK of a zone will use this size.
# Any renewing key will use the exact same parameters (name, algorithm, size, and type)
# as the renewed key.
zsk_size=1024
[path]
# path to the dnssec-settime binary
......
This diff is collapsed.