Hey people,
In the previous version of bind I used bash scripts in crontab to automate the entire process of creating the KSK and ZSK keys, unfortunately due to the new Police feature this automation of mine is no longer valid.
I installed the new version of bind and I needed to reconfigure it, but I found the following issues:
1 - KSK and ZSK parameters need to be uppercase
Bind's documentation page about this new feature uses the following example to have both keys:
Using lowercase ksk and zsk as in the example will result in the following error:
In my case I am using something similar to:
2 - Is not generating KSK
After changing the example to KSK and ZSK (uppercase), the KSK key is not generated, but two ZSK keys
Has anyone else had these problems?
In the previous version of bind I used bash scripts in crontab to automate the entire process of creating the KSK and ZSK keys, unfortunately due to the new Police feature this automation of mine is no longer valid.
I installed the new version of bind and I needed to reconfigure it, but I found the following issues:
1 - KSK and ZSK parameters need to be uppercase
Bind's documentation page about this new feature uses the following example to have both keys:
Code:
dnssec-policy "myway" {
keys {
ksk lifetime unlimited algorithm rsasha256 2048;
zsk lifetime P60D algorithm rsasha256 1024;
};
};
zone "example.com" {
dnssec-policy myway;
};
Using lowercase ksk and zsk as in the example will result in the following error:
Code:
dnssec-policy: algorithm 13 requires both KSK and ZSK roles
Code:
dnssec-policy "myway" {
keys {
KSK key-directory lifetime P180D algorithm 14;
ZSK key-directory lifetime P30D algorithm 13;
};
};
After changing the example to KSK and ZSK (uppercase), the KSK key is not generated, but two ZSK keys
Has anyone else had these problems?