Bind

Dnssec Algorithm Rollover

8 minute read Published:

Preparing for the rollover with bind and it’s DNSSEC policies

Make sure you have at least bind 9.16.0, because otherwise the policies are not available. To be able to use bind’s DNSSEC-policy feature first the current setup has to be migrated to a policy. The original setup was the following:

zone "t0d.nl" {
    ...
        auto-dnssec maintain;
        inline-signing yes;
    ...
};

And I converted this to the following custom policy :

dnssec-policy  "rsa_default" {
    dnskey-ttl 24h;
    keys {
        ksk lifetime unlimited algorithm RSASHA256 2560;
        zsk lifetime 90d algorithm RSASHA256 1536;
    };
    max-zone-ttl 3600;
    parent-ds-ttl 600;
    parent-propagation-delay 2d;
    publish-safety 14d;
    retire-safety 14d;
    signatures-refresh 5d;
    signatures-validity 15d;
    signatures-validity-dnskey 15d;
    zone-propagation-delay 2h;
};

And then using that policy on the zone definition.

zone "t0d.nl" {
        type master;
        dnssec-policy rsa_default;
        //auto-dnssec maintain;
        //inline-signing yes;
        ...
};
Recent posts
- full list -
Tags
- full list -