// Policy for Eliptical Curve, Algorithm 13
dnssec-policy "ecdsa256-policy" {
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
purge-keys 10d;
keys {
ksk lifetime 370d algorithm ecdsa256;
zsk lifetime 34d algorithm ecdsa256;
};
zone-propagation-delay 300s;
max-zone-ttl 86400s;
parent-propagation-delay 1h;
parent-ds-ttl 3600;
// nsec3param iterations 0 optout no salt-length 0;
};
// Parents are whom to ask for a particular parent.
parental-agents "edu.za" {
204.61.216.55; // za-ns.anycast.pch.net.
};
parental-agents "co.za" {
206.223.136.200; // ns.coza.net.za.
};
// The Zone file also needs extra stuff:
zone "dnssec.edu.za" { // The original zone
type primary;
file "pri/dnssec.edu.za/db.dnssec.edu.za";
};
/* The following lines should be added:
key-directory "pri/dnssec.edu.za/keys";
dnssec-policy "ecdsa256-policy";
serial-update-method date;
parental-agents { "edu.za"; };
inline-signing yes;
*/
// And becomes....
zone "dnssec.edu.za" {
type primary;
file "pri/dnssec.edu.za/db.dnssec.edu.za";
key-directory "pri/dnssec.edu.za/keys";
dnssec-policy "ecdsa256-policy";
serial-update-method date;
parental-agents { "edu.za"; };
inline-signing yes;
};
Create the 'key' directory:- mkdir /etc/ns.d/pri/dnssec.edu.za/keysTo roll a key sooner than scheduled, or to roll a key that has an unlimited lifetime, use: rndc dnssec -rollover -key 12345 dnssec.example...
Created by Mark Elkins - mje@posix.co.za - WhatsApp +27.826010496