upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 15:19:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add a note about pregenarating keys for key rolls

Browse source 
With dnssec-policy you can pregenerate keys and if they are eligible,
rather than creating a new key, a key is selected from the pregenerated
keys. A key is eligible if it is unused, i.e it has no key timing
metadata set.
This commit is contained in:
Matthijs Mekking 2025-04-11 13:16:39 -05:00
parent b3ee5dc8f7
commit 9880bfff63
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
doc/arm/dnssec.inc.rst
View file

@ -196,6 +196,11 @@ To roll a key sooner than scheduled, or to roll a key that
has an unlimited lifetime, use:
:option:`rndc dnssec -rollover -key 12345 dnssec.example. <rndc dnssec>`.
You can pregenerate keys and save them in the key directory. As long as the
key has no timing metadata set, it may be selected as a successor in the
upcoming key rollover. To pregenerate keys without setting key timing metadata,
use the `-G` option: ``dnssec-keygen -G dnssec.example.``.
To revert a signed zone back to an insecure zone, change
the zone configuration to use the built-in "insecure" policy. Detailed
instructions are described in :ref:`revert_to_unsigned`.