9 Srp
2016
9 Srp
'16
13:03
Hello Ulrich,
On 9.8.2016 10:40, Ulrich Wisser wrote:
algorithm 8
size 2048
flags 256
active -1
retire 0
remove 0
What Knot DNS version do you have? Is that the output of keymgr? The
minus one looks strange...
I guess the retire and remove values are the problem.
How do I set them
for the old keys? And how do I configure my policy to set them for
future keys?
The zero value for different key states have a bit different meaning for
backward compatibility with imported keys from BIND. Zero for publish
and active means "immediately"; for retire and remove it means
"never".
If the keys are maintained automatically, the retire and remove should
be set correctly to remove the keys after the roll is finished. Anyway,
set them to some time in the past and the keys will disappear:
$ keymgr zone key set [keyid] retire +0 remove +0
Cheers,
Jan