::
keys {
- ksk key-directory lifetime unlimited algorithm rsasha1 2048;
+ ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk lifetime P30D algorithm 8;
csk lifetime P6MT12H3M15S algorithm ecdsa256;
};
number. An optional second parameter specifies the key's size in
bits. If it is omitted, as shown in the example for the second and
third keys, an appropriate default size for the algorithm is used.
+ Each KSK/ZSK pair must have the same algorithm. A CSK combines the
+ functionality of a ZSK and a KSK.
``purge-keys``
This is the time after when DNSSEC keys that have been deleted from
- The ``keys`` clause lists all keys that should be in the zone, along
with their associated parameters. In this example, we are using the
conventional KSK/ZSK split, with the KSK changed every year and the
- ZSK changed every two months. We have used one of the two mandatory
- algorithms for the keys. (The ``default`` DNSSEC policy sets a CSK
- that is never changed.)
+ ZSK changed every two months (the ``default`` DNSSEC policy sets a
+ CSK that is never changed). Keys are created using the
+ ECDSAPS256SHA256 algorithm; each KSK/ZSK pair must have the same
+ algorithm. A CSK combines the functionality of a ZSK and a KSK.
- The parameters ending in ``-ttl`` are, as expected, the TTLs of the
associated records. Remember that during a key rollover,
projects / thirdparty / bind9.git / commitdiff
