Full automatic DNSSEC for hosted zones/domains

Matthijs Mekking matthijs at isc.org
Wed Apr 8 07:14:21 UTC 2020

Hi Philippe,

On 4/7/20 3:46 PM, Philippe Maechler wrote:
> Hello bind users
>> The answer is almost, as long as the zone has a DNSSEC policy configured:
>> zone "newdomain.de" {
>>   type master;
>>   file "../master/newdomain.de";
>>   dnssec-policy default;
>> }
>> The only thing not yet fully automated is submitting the DS to the
>> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
>> the zone.
> So you're saying, that with a DNSSEC policy configured, bind is creating CDS records for me? If so, then when my registrar is supporting those records (switch.ch), this zone fully automated in regards of DNSSEC?
> Is the creation of CDS Records a config option or on by default?

Yes, that is right. The creation of CDS and CDNSKEY records happens
always and cannot be turned off with an option.

> What about going from secure to insecure? Is this possible with dnssec policy or do I then have to put the relevant CDS records in the zone by hand?

This is not possible yet with dnssec-policy. I suggest to put the
deletion CDS record in the zone, set dnssec-policy to none, and
dnssec-signzone your zone temporarily.

Best regards,


> Best regards
> Philippe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200408/a41e84f1/attachment.bin>

More information about the bind-users mailing list