ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Update documentation wrt key algorithms

Browse Source 
Add a note to the DNSSEC guide and to the ARM reference that A ZSK/KSK
pair used for signing your zone should have the same algorithm.

This commit also updates the 'dnssec-policy/keys' example to use the
slightly more modern 'rsasha256' algorithm.
This commit is contained in:
Matthijs Mekking
2022-02-11 09:48:36 +01:00
parent 5fa60c1ce9
commit 7365400610
2 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
doc/arm/reference.rst
View File

@@ -5169,7 +5169,7 @@ The following options can be specified in a ``dnssec-policy`` statement:
::
keys {
ksk key-directory lifetime unlimited algorithm rsasha1 2048;
ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk lifetime P30D algorithm 8;
csk lifetime P6MT12H3M15S algorithm ecdsa256;
};
@@ -5205,6 +5205,8 @@ The following options can be specified in a ``dnssec-policy`` statement:
number. An optional second parameter specifies the key's size in
bits. If it is omitted, as shown in the example for the second and
third keys, an appropriate default size for the algorithm is used.
Each KSK/ZSK pair must have the same algorithm. A CSK combines the
functionality of a ZSK and a KSK.
``purge-keys``
This is the time after when DNSSEC keys that have been deleted from

7
doc/dnssec-guide/signing.rst
View File

@@ -762,9 +762,10 @@ The policy has multiple parts:
- The ``keys`` clause lists all keys that should be in the zone, along
with their associated parameters. In this example, we are using the
conventional KSK/ZSK split, with the KSK changed every year and the
ZSK changed every two months. We have used one of the two mandatory
algorithms for the keys. (The ``default`` DNSSEC policy sets a CSK
that is never changed.)
ZSK changed every two months (the ``default`` DNSSEC policy sets a
CSK that is never changed). Keys are created using the
ECDSAPS256SHA256 algorithm; each KSK/ZSK pair must have the same
algorithm. A CSK combines the functionality of a ZSK and a KSK.
- The parameters ending in ``-ttl`` are, as expected, the TTLs of the
associated records. Remember that during a key rollover,