Testing KASP, CDS, and .ch

John W. Blue john.blue at rrcic.com
Fri Apr 9 19:05:15 UTC 2021 

So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870.

Thus the DNSSEC breakage.

John

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Jim Popovitch via bind-users
Sent: Friday, April 09, 2021 1:58 PM
To: bind-users at lists.isc.org
Subject: Testing KASP, CDS, and .ch

Hello!

I've read the "Schacher 20200622 Support for and adoption of CDS in .ch and .li", and studied https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick wall: 

https://dnsviz.net/d/domainmail.ch/dnssec/

What am I missing?

I'm using the following policy and zone config: 

dnssec-policy "test" {
        keys { csk lifetime P30D algorithm ECDSAP256SHA256; }; };

zone "domainmail.ch" {
        type master;
        file "/etc/bind/zone/domainmail.ch";
        dnssec-policy "test";
};

Here are the info of the active keys:

/etc/bind/keys/Kdomainmail.ch.+013+22048.key
; This is a key-signing key, keyid 22048, for domainmail.ch.
; Created: 20210208192710 (Mon Feb  8 19:27:10 2021) ; Publish: 20210208192710 (Mon Feb  8 19:27:10 2021) ; Activate: 20210208222710 (Mon Feb  8 22:27:10 2021) ; Inactive: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Delete: 20210320233210 (Sat Mar 20 23:32:10 2021) ; SyncPublish: 20210208222710 (Mon Feb  8 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+17870.key
; This is a key-signing key, keyid 17870, for domainmail.ch.
; Created: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Publish: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Activate: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Inactive: 20210409222710 (Fri Apr  9 22:27:10 2021) ; Delete: 20210419233210 (Mon Apr 19 23:32:10 2021) ; SyncPublish: 20210310222710 (Wed Mar 10 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+04319.key
; This is a key-signing key, keyid 4319, for domainmail.ch.
; Created: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Publish: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Activate: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Inactive: 20210221040633 (Sun Feb 21 04:06:33 2021) ; Delete: 20210303051133 (Wed Mar  3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021)


-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list