key rollover with BIND 9.9
Axel Rau
Axel.Rau at chaos1.de
Sat Jan 26 09:49:39 UTC 2013
Am 26.01.2013 um 00:39 schrieb Michael W. Lucas:
> Hi,
>
> I'm trying to automate key rollover with BIND 9.9.2 (will soon upgrade
> to new rev). I have a couple of elementary questions that seem to be
> answered briefly in the documentation, but I suspect that my grasp of
> key rollover is clouded by the last decade of blog posts about tools
> and techniques that are no longer necessary.
>
> I have a test zone set with "auto-dnssec maintain" and "inline-signing
> yes". My zone gets signed, RRSIGs get generated, and so on.
>
> The 9.9 ARM says at 4.9.7 that named will automatically carry out the
> key rollover. Does this include creation of new key files?
>
> When the KSK rolls over, do I need to update my registrar? Or does
> that happen automatically? (I see hints that the root servers pick up
> the new DS record, but that seems too good to be true.)
>
> By default, keys have no expiration date. I'm assuming I must set an
> expiration date on the ZSK and KSK for named to automatically create
> the new key?
>
> As a test, I've set my test zone ZSK with a fairly short time to
> expire.
>
> dnssec-settime -I +7d -D +14d Kabsolutenetbsd.com.+005+39543
>
> named hasn't created a new ZSK, however. Should I expect it to? Or is
> there some other document I need to read?
>
It's your responsibility to create the keys and to renew the DS-RR with your registrar.
I have written a python3 script which does all this housekeeping including registrar updates for 2 registrars.
You find it here
https://github.com/mc3/DSKM
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the bind-users
mailing list