CDS/CDNSKEY are not published with BIND-9.16.1 and dnssec-policies
Tom
lists at verreckte-cheib.ch
Thu Apr 9 06:27:57 UTC 2020
Hi
Using BIND-9.16.1.
In the last ISC dnssec webinar
(https://www.youtube.com/watch?v=2aB__FZZQ84) I heared, that CDS/CDNSKEY
records automatically should be published when using dnssec-policies.
My policy looks like this:
dnssec-policy "test-policy" {
dnskey-ttl 60;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
};
};
and the zone like this:
zone "example.com" {
type master;
file "master/example.com.zone";
key-directory "/etc/named/keys/example.com";
dnssec-policy "test-policy";
};
When digging this zone for CDS/CDNSKEY records, then these keys are not
existing:
$ dig +norec +noall +answer @127.0.0.1 cds example.com
$ dig +norec +noall +answer @127.0.0.1 cdnskey example.com
The keyfile for "example.com" also do not show a "published"-date:
$ cat Kexample.com.+013+02624.key
; This is a key-signing key, keyid 2624, for example.com.
; Created: 20200409061638 (Thu Apr 9 08:16:38 2020)
; Publish: 20200409061638 (Thu Apr 9 08:16:38 2020)
; Activate: 20200409061638 (Thu Apr 9 08:16:38 2020)
example.com. 60 IN DNSKEY 257 3 13
uV/NtPZSL1fmO3FAi4pZCcbTl19iD3SizgVcDXGJEl1g4l/cHUGvVl33
3cx2cODA6RUj55pZa77g1VBtFBXByg==
Any hints, why in this case the dnssec-policy mechanism doesn't publish
the CDS/CDNSKEY records?
Many thanks.
Kind regards,
Tom
More information about the bind-users
mailing list