Skip to content

Documentation: Please document the "lifetime" options for dnssec policy keys statements.

Looking through the ARM, see timing options for the key lifetimes such as:

keys {
    ksk key-directory lifetime unlimited algorithm rsasha256 2048;
    zsk lifetime P30D algorithm 8;
    csk lifetime P6MT12H3M15S algorithm ecdsa256;
};

And while the ARM spells out what that last (weird) key argument does, there's no link to what the actual format of the lifetime statement is -- what the P and T stand for (also, nothing in our KB's.)

named-checkconf also does not emit warnings if you just say "lifetime 30d" so I cannot tell if this behavior is somehow different.

In fact, I cannot at all find a syntax for the "keys" sub-statement for dnssec-policy in the ARM.

Finally, in the rendered version of the ARM, there's a statement that says:

"Here is an example (for illustration purposes only) of some possible entries in a [keys] list:", and that links to the wrong "keys" statement. (It links to https://bind9.readthedocs.io/en/v9.18.18/reference.html#namedconf-statement-keys where it specifically says "these are NOT the dnssec-policy keys")

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information