upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-03 13:59:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

[9.20] chg: doc: Add a note on pregenerating keys

Browse source 
With `dnssec-policy` you can pregenerate keys and if they are eligible, rather than creating a new key, a key is selected from the pregenerated keys. A key is eligible if it is unused, i.e it has no key timing metadata set.

Backport of MR !10385

Merge branch 'backport-matthijs-clarify-pregenerating-keys-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10388
This commit is contained in:
Matthijs Mekking 2025-04-22 08:17:28 +00:00
commit 8f7f97666a
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
doc/arm/dnssec.inc.rst
View file

@ -196,6 +196,11 @@ To roll a key sooner than scheduled, or to roll a key that
has an unlimited lifetime, use:
:option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`.
You can pregenerate keys and save them in the key directory. As long as the
key has no timing metadata set, it may be selected as a successor in the
upcoming key rollover. To pregenerate keys without setting key timing metadata,
use the `-G` option: ``dnssec-keygen -G dnssec.example.``.
To revert a signed zone back to an insecure zone, change
the zone configuration to use the built-in "insecure" policy. Detailed
instructions are described in :ref:`revert_to_unsigned`.