Uz je to nakej cas, co sem si dle postupu tady na webu nastavil a aktivoval dnssec pro me domeny. Vse funguje, tak sem se o to dal nezajimal. Pak sem neco menil v nastaveni a krom "named-checkzone" sem pro jistotu skusil i "named-checkconf". A tam sem dostal neco takovyho:
/etc/bind/named.conf.local:7: option 'auto-dnssec' is deprecated
/etc/bind/named.conf.local:7: 'auto-dnssec' option is deprecated and will be removed in BIND 9.19. Please migrate to dnssec-policy
Ano, u vsech zone{} mam aktivovano:
inline-signing yes;
auto-dnssec maintain;
Jak to mam ted zmenit na "dnssec-policy"? Koukam manual, a nejsem z toho nijak moudrej. Je tam mnoho parametru pro nastaveni, a vubec netusim co vlastne znamenaji:
dnssec-policy <string> {
dnskey-ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>; // obsolete
publish-safety <duration>;
purge-keys <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
Co z toho vlastne potrebuju? Jak co nejsnadneji premigrovat z auto-dnssec na dnssec-policy?
2 Odpovědí
1913 Zhlédnutí