ISC DNSSEC Guide - Working with the Parent Zone

Matthijs Mekking matthijs at isc.org
Wed Dec 23 09:33:19 UTC 2020


Hi Daniel,

With which specific 9.16 version are you testing? The first versions 
used an unsafe time based rollover, assuming the DS would be published 
withing a certain time. In 9.16.7 a new rndc command "rndc dnssec 
-checkds" was introduced to tell BIND 9 that the DS for a given key has 
been published.

Best regards,

Matthijs

On 23-12-2020 09:53, Daniel Stirnimann wrote:
> Hi all,
> 
> I'm testing the key rollover behavior of BIND 9.16 with the new
> introduced "dnssec-policy" statement.
> 
> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
> 
> "At the time of this writing (mid-2020) BIND does not check for the
> presence of a DS record in the parent zone before completing the KSK or
> CSK rollover and withdrawing the old key. Instead, you need to use the
> rndc tool to tell named that the DS record has been published."
> 
> The last sentence that one has to tell named that the DS record has been
> published is not what I'm observing. My tests show that BIND continues
> (finishes) the key rollover. The use of the rndc tool is not required.
> Is this an error in the documentation?
> 
> dnsviz output of the test domain:
> 
> badware.ch signed with key 39414 but no trust anchor in .ch yet:
> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
> 
> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
> automatically picked up by CDS/CDNSKEY polling by the parent):
> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
> 
> badware.ch key rollover from key 39414 to key 6207 in progress:
> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
> 
> badware.ch previous key rollover finished. key 39414 is unused and will
> be removed from the DNSKEY rrset soon. No "rndc" command has been used
> to tell named to complete the key rollover.
> Next key rollover started with the introduction of key 15769:
> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
> 
> 
> DNSSEC Policy:
> 
> dnssec-policy "test" {
>      keys {
>          csk key-directory lifetime 7d algorithm 13;
>      };
> 
>      // Key timings
>      dnskey-ttl 3600;
>      publish-safety 1h;
>      retire-safety 1h;
> 
>      // Zone parameters
>      max-zone-ttl 3600;
>      zone-propagation-delay 300;
> 
>      // Parent parameters
>      parent-ds-ttl 1h;
>      parent-propagation-delay 1h;
> };
> 
> Thank you,
> Daniel
> 
> [1]
> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 


More information about the bind-users mailing list