From: Matthijs Mekking Date: Fri, 11 Apr 2025 18:16:39 +0000 (-0500) Subject: Add a note about pregenarating keys for key rolls X-Git-Tag: v9.18.37~9^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4147bcfd6ead1a2538776587b48e5a050386896;p=thirdparty%2Fbind9.git Add a note about pregenarating keys for key rolls With dnssec-policy you can pregenerate keys and if they are eligible, rather than creating a new key, a key is selected from the pregenerated keys. A key is eligible if it is unused, i.e it has no key timing metadata set. (cherry picked from commit 9880bfff63d853629afb85394a65dd4eaf9f90b0) --- diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index c48bab1dda9..9db62eaddab 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -195,6 +195,11 @@ To roll a key sooner than scheduled, or to roll a key that has an unlimited lifetime, use: :option:`rndc dnssec -rollover -key 12345 dnssec.example. `. +You can pregenerate keys and save them in the key directory. As long as the +key has no timing metadata set, it may be selected as a successor in the +upcoming key rollover. To pregenerate keys without setting key timing metadata, +use the `-G` option: ``dnssec-keygen -G dnssec.example.``. + To revert a signed zone back to an insecure zone, change the zone configuration to use the built-in "insecure" policy. Detailed instructions are described in :ref:`revert_to_unsigned`.