mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-10 18:28:43 -04:00
0598381236
Add a new configuration option to enable Offline KSK key management. Offline KSK cannot work with CSK because it splits how keys with the KSK and ZSK role operate. Therefore, one key cannot have both roles. Add a configuration check to ensure this.
43 lines
979 B
Text
43 lines
979 B
Text
/*
|
|
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*
|
|
* See the COPYRIGHT file distributed with this work for additional
|
|
* information regarding copyright ownership.
|
|
*/
|
|
|
|
dnssec-policy "default" {
|
|
// Keys
|
|
offline-ksk no;
|
|
keys {
|
|
csk key-directory lifetime unlimited algorithm 13;
|
|
};
|
|
|
|
// Key timings
|
|
cdnskey yes;
|
|
cds-digest-types { 2; };
|
|
dnskey-ttl 3600;
|
|
publish-safety 1h;
|
|
retire-safety 1h;
|
|
purge-keys P90D;
|
|
|
|
// Signature timings
|
|
signatures-jitter 12h;
|
|
signatures-refresh 5d;
|
|
signatures-validity 14d;
|
|
signatures-validity-dnskey 14d;
|
|
|
|
// Zone parameters
|
|
inline-signing yes;
|
|
max-zone-ttl 86400;
|
|
zone-propagation-delay 300;
|
|
|
|
// Parent parameters
|
|
parent-ds-ttl 86400;
|
|
parent-propagation-delay 1h;
|
|
};
|