dnssec_keys_management.ini.sample 2.33 KB
Newer Older
1
[dnssec]
2 3
# Directory where dnssec keys will be stored. This directory will contain on subdirectory per DNS
# zone, containing dnssec keys.
4 5
base_directory=/etc/bind/keys

Valentin Samir's avatar
Valentin Samir committed
6 7
# Interval between 2 operations on the dns keys.
# For example if you have KEY1 enabled, KEY2 is published INTERVAL before disabling KEY1. KEY1 is
Valentin Samir's avatar
Valentin Samir committed
8 9 10
# disabled when KEY2 is activated, KEY1 is deleted INTERVAL after being disabled.
# INTERVAL MUST be greater than the longest TTL DS records can have.
# INTERVAL MUST also be higher than the bind signature interval (default 22.5 days)
Valentin Samir's avatar
Valentin Samir committed
11
# This partially depends of the parent zone configuration and you do not necessarily have
Valentin Samir's avatar
Valentin Samir committed
12
# control over it.
13 14 15
interval=23


Valentin Samir's avatar
Valentin Samir committed
16 17
# Time after which a ZSK is replaced by a new ZSK.
# Generation of ZSK and activation / deactivation / deletion is managed automatically as long as
Valentin Samir's avatar
Valentin Samir committed
18
# dnssec_keys_management.py -c is called at least once a day.
19 20
zsk_validity=30

Valentin Samir's avatar
Valentin Samir committed
21
# Time after which a new KSK is generated and published for the zone (and activated after INTERVAL).
Valentin Samir's avatar
Valentin Samir committed
22 23 24 25
# The old key is removed only INTERVAL after the new key was dnssec_keys_management.py --ds-seen.
# This usually requires a manual operation with the registrar (publish DS of the new key
# in the parent zone). dnssec_keys_management.py -c displays a message as long as --ds-seen needs
# to be called and has not yet be called
26 27
ksk_validity=366

28
# Algorithm used to generate new keys. Only the first created KSK and ZSK of a zone will use
Valentin Samir's avatar
Valentin Samir committed
29
# this algorithm. Any renewing key will use the exact same parameters (name, algorithm, size,
30
# and type) as the renewed key.
31 32
# Valid algorithms are RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384.
algorithm=RSASHA256
33

34
# Size of the created KSK. Only the first created KSK of a zone will use this size.
Valentin Samir's avatar
Valentin Samir committed
35
# Any renewing key will use the exact same parameters (name, algorithm, size, and type)
36 37 38 39
# as the renewed key.
ksk_size=2024

# Size of the created ZSK. Only the first created ZSK of a zone will use this size.
Valentin Samir's avatar
Valentin Samir committed
40
# Any renewing key will use the exact same parameters (name, algorithm, size, and type)
41
# as the renewed key.
42
zsk_size=1024
43 44


45 46
[path]

Valentin Samir's avatar
Valentin Samir committed
47
# path to the dnssec-settime binary
48
dnssec_settime=/usr/sbin/dnssec-settime
Valentin Samir's avatar
Valentin Samir committed
49 50

# path to the dnssec-dsfromkey binary
51
dnssec_dsfromkey=/usr/sbin/dnssec-dsfromkey
Valentin Samir's avatar
Valentin Samir committed
52 53

# path to the dnssec-keygen binary
54
dnssec_keygen=/usr/sbin/dnssec-keygen
Valentin Samir's avatar
Valentin Samir committed
55 56

# path to the rndc binary
57
rndc=/usr/sbin/rndc