mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Document what is a too short key lifetime

Browse Source 
To give a hint to users that get an error that the key lifetime is
shorter than the time it takes to do a rollover.
This commit is contained in:
Matthijs Mekking 2022-06-20 11:08:51 +02:00
parent cc7f132ff8
commit c47735b86b
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/arm/reference.rst
View File

@ -5324,9 +5324,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
``unlimited``. ``unlimited``.
Note that the lifetime of a key may be extended if retiring it too Note that the lifetime of a key may be extended if retiring it too
soon would cause validation failures. For example, if the key were soon would cause validation failures. The key lifetime must be
configured to roll more frequently than its own TTL, its lifetime longer than the time it takes to do a rollover; that is, the lifetime
would automatically be extended to account for this. must be more than the publication interval (which is the sum of
``dnskey-ttl``, ``publish-safety``, and ``zone-propagation-delay``).
It must also be more than the retire interval (which is the sum of
``max-zone-ttl``, ``retire-safety`` and ``zone-propagation-delay``
for ZSKs, and the sum of ``parent-ds-ttl``, ``retire-safety``, and
``parent-propagation-delay`` for KSKs and CSKs). BIND 9 treats a key
lifetime that is too short as an error.
The ``algorithm`` parameter specifies the key's algorithm, expressed The ``algorithm`` parameter specifies the key's algorithm, expressed
either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal either as a string ("rsasha256", "ecdsa384", etc.) or as a decimal