mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

Add a note about pregenarating keys for key rolls

Browse Source 
With dnssec-policy you can pregenerate keys and if they are eligible,
rather than creating a new key, a key is selected from the pregenerated
keys. A key is eligible if it is unused, i.e it has no key timing
metadata set.

(cherry picked from commit 9880bfff63)
This commit is contained in:
Matthijs Mekking
2025-04-11 13:16:39 -05:00
parent 51e51d5ea8
commit 9d97cfd594
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
doc/arm/dnssec.inc.rst
View File

@@ -196,6 +196,11 @@ To roll a key sooner than scheduled, or to roll a key that
has an unlimited lifetime, use: has an unlimited lifetime, use:
:option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`. :option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`.
You can pregenerate keys and save them in the key directory. As long as the
key has no timing metadata set, it may be selected as a successor in the
upcoming key rollover. To pregenerate keys without setting key timing metadata,
use the `-G` option: ``dnssec-keygen -G dnssec.example.``.
To revert a signed zone back to an insecure zone, change To revert a signed zone back to an insecure zone, change
the zone configuration to use the built-in "insecure" policy. Detailed the zone configuration to use the built-in "insecure" policy. Detailed
instructions are described in :ref:`revert_to_unsigned`. instructions are described in :ref:`revert_to_unsigned`.