CDS/CDNSKEY are not published with BIND-9.16.1 and dnssec-policies
Matthijs Mekking
matthijs at isc.org
Thu Apr 9 08:21:06 UTC 2020
Hi Tom,
Because you just started signing your zone. The DNSKEY and RRSIG records
are published but have to wait a TTL time to before the DS may be
published, to avoid a situation where a resolver fetches the DS but
still has the corresponding DNSKEY query in the negative cache.
This time is based on the dnskey-ttl (60 seconds), publish-safety (1
hour), max-zone-ttl (1 day) and zone-propagation-delay (300 seconds).
- publish-safety is an additional wait period before continuing a key
roll, to allow some time to react on unforeseen events.
- max-zone-ttl should be set to your maximum used TTL in the zone. In
the future we may add the functionality to walk the zone and determine
the max-zone-ttl.
- zone-propagation-delay is an additional wait period to cover for the
time it takes between changes and actual publication.
All these values are there to be extra careful on key rollover timings.
You can lower these values in the dnssec-policy to speed up the process
for your test zone, or tweak them to better match your setup.
Best regards,
Matthijs
On 09-04-2020 08:27, Tom wrote:
> Hi
> Using BIND-9.16.1.
> In the last ISC dnssec webinar
> (https://www.youtube.com/watch?v=2aB__FZZQ84) I heared, that CDS/CDNSKEY
> records automatically should be published when using dnssec-policies.
>
> My policy looks like this:
> dnssec-policy "test-policy" {
> dnskey-ttl 60;
> keys {
> ksk lifetime unlimited algorithm ecdsa256;
> zsk lifetime unlimited algorithm ecdsa256;
> };
> };
>
> and the zone like this:
> zone "example.com" {
> type master;
> file "master/example.com.zone";
> key-directory "/etc/named/keys/example.com";
> dnssec-policy "test-policy";
> };
>
>
> When digging this zone for CDS/CDNSKEY records, then these keys are not
> existing:
> $ dig +norec +noall +answer @127.0.0.1 cds example.com
> $ dig +norec +noall +answer @127.0.0.1 cdnskey example.com
>
> The keyfile for "example.com" also do not show a "published"-date:
> $ cat Kexample.com.+013+02624.key
> ; This is a key-signing key, keyid 2624, for example.com.
> ; Created: 20200409061638 (Thu Apr 9 08:16:38 2020)
> ; Publish: 20200409061638 (Thu Apr 9 08:16:38 2020)
> ; Activate: 20200409061638 (Thu Apr 9 08:16:38 2020)
> example.com. 60 IN DNSKEY 257 3 13
> uV/NtPZSL1fmO3FAi4pZCcbTl19iD3SizgVcDXGJEl1g4l/cHUGvVl33
> 3cx2cODA6RUj55pZa77g1VBtFBXByg==
>
>
> Any hints, why in this case the dnssec-policy mechanism doesn't publish
> the CDS/CDNSKEY records?
>
> Many thanks.
>
> Kind regards,
> Tom
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list