Full automatic DNSSEC for hosted zones/domains
Matthijs Mekking
matthijs at isc.org
Wed Apr 8 07:14:21 UTC 2020
Hi Philippe,
On 4/7/20 3:46 PM, Philippe Maechler wrote:
> Hello bind users
>
>> The answer is almost, as long as the zone has a DNSSEC policy configured:
>>
>> zone "newdomain.de" {
>> type master;
>> file "../master/newdomain.de";
>> dnssec-policy default;
>> }
>>
>> The only thing not yet fully automated is submitting the DS to the
>> parent. You can do that as soon as named puts the CDS/CDNSKEY records in
>> the zone.
>
> So you're saying, that with a DNSSEC policy configured, bind is creating CDS records for me? If so, then when my registrar is supporting those records (switch.ch), this zone fully automated in regards of DNSSEC?
> Is the creation of CDS Records a config option or on by default?
Yes, that is right. The creation of CDS and CDNSKEY records happens
always and cannot be turned off with an option.
> What about going from secure to insecure? Is this possible with dnssec policy or do I then have to put the relevant CDS records in the zone by hand?
This is not possible yet with dnssec-policy. I suggest to put the
deletion CDS record in the zone, set dnssec-policy to none, and
dnssec-signzone your zone temporarily.
Best regards,
Matthijs
>
> Best regards
> Philippe
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200408/a41e84f1/attachment.bin>
More information about the bind-users
mailing list