Hello John,
On Mon, 19 Jan 2015 22:47:59 -0500 John john@klam.ca wrote:
A couple of questions: Does anybody know if key rolling is going to be part of Bind (as part of maintain/inline) maybe?
Not that I'm aware of. Would probably be a major addition, as BIND 9 would need to keep state across restarts.
Has the been any discussion on basing the +/-nn part of the date/time params, not on today, but on one of the existing params when the -S option is used?
the way I use the key dates is to specify the "retirement" and "deletion" only before the new key is generated, e.g. when the rollover starts. That way, the rollover can be postponed in time when needed
Example:
the initial key generation:
# dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -P +1d -A +4d example.com
publication: now + 1 day activation: now + 4 days retirement: unset deletion: unset
# dnssec-settime -p all Kexample.com.+008+50340 Created: Wed Jan 21 09:32:35 2015 Publish: Thu Jan 22 09:32:35 2015 Activate: Sun Jan 25 09:32:35 2015 Revoke: UNSET Inactive: UNSET Delete: UNSET
28 days after activation, the rollover process starts by setting the inactivation time and creating the successor key:
# dnssec-settime -I +2d -D +8d Kexample.com.+008+50340 ./Kexample.com.+008+50340.key ./Kexample.com.+008+50340.private # dnssec-settime -p all Kexample.com.+008+50340 Created: Wed Jan 21 09:32:35 2015 Publish: Thu Jan 22 09:32:35 2015 Activate: Sun Jan 25 09:32:35 2015 Revoke: UNSET Inactive: Sun Feb 22 09:37:28 2015 Delete: Sat Feb 28 09:37:28 2015
# dnssec-keygen -i 2d -S Kexample.com.+008+50340.key example.com
# dnssec-settime -p all Kexample.com.+008+40260 Created: Wed Jan 21 09:38:04 2015 Publish: Fri Feb 20 09:37:28 2015 Activate: Sun Feb 22 09:37:28 2015 Revoke: UNSET Inactive: UNSET Delete: UNSET
By setting the inactivation time not at the creation of the key, but when the rollover starts, the process is more robust against failures of the script/process and the rollover can be postponed if needed (by disabling the script).
But please send a feature request to the BIND 9 people (email bind9-bugs@isc.org) if you feel relative dates for a successor key would be useful.
Best regards
Carsten