......@@ -375,6 +375,26 @@ convenience delay the submittion is started. The server publishes CDS and CDNSKE
and the user shall propagate them to the parent. The server periodically checks for
DS at the master and when positive, finishes the rollover.
To share KSKs among zones, set the ksk-shared policy parameter. It is strongly discouraged to
change the policy ``id`` afterwards! The shared key's creation timestamp will be equal for all
zones, but other timers (e.g. activate, retire) may get out of sync. ::
- id: sharedp
ksk-lifetime: 365d
ksk-shared: true
ksk-submittion-check: [cz_zone]
- domain: firstzone.test
dnssec-signing: on
dnssec-policy: sharedp
- domain: secondzone.test
dnssec-signing: on
dnssec-policy: sharedp
.. _dnssec-manual-key-management:
Manual key management
......@@ -511,6 +511,7 @@ policy:
algorithm: dsa | rsasha1 | dsa\-nsec3\-sha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk\-size: SIZE
zsk\-size: SIZE
ksk\-shared: BOOL
dnskey\-ttl: TIME
zsk\-lifetime: TIME
ksk\-lifetime: TIME
......@@ -570,6 +571,11 @@ A length of newly generated KSK keys.
A length of newly generated ZSK keys.
\fIDefault:\fP see default for \fI\%ksk\-size\fP
.SS ksk\-shared
If enabled, all zones with this policy assigned will share one KSK.
\fIDefault:\fP off
.SS dnskey\-ttl
A TTL value for DNSKEY records added into zone apex.
......@@ -571,6 +571,7 @@ DNSSEC policy configuration.
algorithm: dsa | rsasha1 | dsa-nsec3-sha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384
ksk-size: SIZE
zsk-size: SIZE
ksk-shared: BOOL
dnskey-ttl: TIME
zsk-lifetime: TIME
ksk-lifetime: TIME
......@@ -651,7 +652,14 @@ A length of newly generated :abbr:`ZSK (Zone Signing Key)` keys.
*Default:* see default for :ref:`ksk-size<policy_ksk-size>`
.. _policy_dnskey-ttl:
.. _policy_ksk-shared:
If enabled, all zones with this policy assigned will share one KSK.
*Default:* off
