CDS/CDNSKEY are not published with BIND-9.16.1 and dnssec-policies

Matthijs Mekking matthijs at isc.org
Thu Apr 9 08:21:06 UTC 2020


Hi Tom,

Because you just started signing your zone. The DNSKEY and RRSIG records 
are published but have to wait a TTL time to before the DS may be 
published, to avoid a situation where a resolver fetches the DS but 
still has the corresponding DNSKEY query in the negative cache.

This time is based on the dnskey-ttl (60 seconds), publish-safety (1 
hour), max-zone-ttl (1 day) and zone-propagation-delay (300 seconds).

- publish-safety is an additional wait period before continuing a key
   roll, to allow some time to react on unforeseen events.
- max-zone-ttl should be set to your maximum used TTL in the zone. In
   the future we may add the functionality to walk the zone and determine
   the max-zone-ttl.
- zone-propagation-delay is an additional wait period to cover for the
   time it takes between changes and actual publication.

All these values are there to be extra careful on key rollover timings. 
You can lower these values in the dnssec-policy to speed up the process 
for your test zone, or tweak them to better match your setup.

Best regards,

Matthijs

On 09-04-2020 08:27, Tom wrote:
> Hi
> Using BIND-9.16.1.
> In the last ISC dnssec webinar 
> (https://www.youtube.com/watch?v=2aB__FZZQ84) I heared, that CDS/CDNSKEY 
> records automatically should be published when using dnssec-policies.
> 
> My policy looks like this:
> dnssec-policy "test-policy" {
>      dnskey-ttl 60;
>      keys {
>          ksk lifetime unlimited algorithm ecdsa256;
>          zsk lifetime unlimited algorithm ecdsa256;
>      };
> };
> 
> and the zone like this:
> zone "example.com" {
>          type master;
>          file "master/example.com.zone";
>          key-directory "/etc/named/keys/example.com";
>      dnssec-policy "test-policy";
> };
> 
> 
> When digging this zone for CDS/CDNSKEY records, then these keys are not 
> existing:
> $ dig +norec +noall +answer @127.0.0.1 cds example.com
> $ dig +norec +noall +answer @127.0.0.1 cdnskey example.com
> 
> The keyfile for "example.com" also do not show a "published"-date:
> $ cat Kexample.com.+013+02624.key
> ; This is a key-signing key, keyid 2624, for example.com.
> ; Created: 20200409061638 (Thu Apr  9 08:16:38 2020)
> ; Publish: 20200409061638 (Thu Apr  9 08:16:38 2020)
> ; Activate: 20200409061638 (Thu Apr  9 08:16:38 2020)
> example.com. 60 IN DNSKEY 257 3 13 
> uV/NtPZSL1fmO3FAi4pZCcbTl19iD3SizgVcDXGJEl1g4l/cHUGvVl33 
> 3cx2cODA6RUj55pZa77g1VBtFBXByg==
> 
> 
> Any hints, why in this case the dnssec-policy mechanism doesn't publish 
> the CDS/CDNSKEY records?
> 
> Many thanks.
> 
> Kind regards,
> Tom
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list