Skip to content

Improve dnssec-policy documentation

  • I don't see a mention of default or none in the ARM

  • Document that multiple rollovers at the same time is not supported (roll a key that has not yet been made active).

  • Key rollovers and timings around submitting the DS

  • minor typo: should be "of" not "or" Like max-zone-ttl, specifies the maximum permissible TTL value in seconds. When loading a zone file using a masterfile-format or text or raw,

  • Document that PT0S (duration of 0 seconds) is infinite key lifetime

    I'm trying to make it do insane things and I'm not sure why it isn't?  I gave it a zsk lifetime of 6 hours, 
and publish-safety 1 week.  shouldn't it be prepublishing about 28 keys?  but it's only created two zsk's and 
only published one

You are pushing it to its limits and basically says: "I am afraid I can't let you do that Dave" - It follows 
the policy and does one ZSK at a time. The lifetime for the first key will be 6 hours extended with a week. It 
is not according to policy but as close as it safely can be

  • We probably need some warning logs when detecting such insanity.

  • ...and documentation of what to expect.

Some other suggestions:

  • Consider making the 'lifetime' keyword optional, with default zero if unspecified. consider adding 'unlimited' as a synonym for '0'.
  • Also suggest making the key-directory keyword optional
  • Add algorithm menmonic support so you could say "ksk algorithm ecdsa256;"
  • Forbid, or at least warn, if someone specifies a key length with an algorithm where that's predefined. it accepted "algorithm 13 2048" which I believe to be a silly value.
  • We need a way, via rndc zonestatus or some other command, to see what the current state of the keys are and when they're going to be changing to a new state (e.g. rumored to omnipresent). the log file says "wait 7500 seconds" or something if you run in debug mode but I haven't found any other way to figure it out
  • We need a way, via rndc or some other command, to signal that we have submitted the DS.
  • incidentally, why is zone-max-ttl not called max-zone-ttl? it's identical to the zone option and confusing for them to have two different names
Edited by Matthijs Mekking
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information