Ask for automated KSK roll with DS checking
Matthijs Mekking
matthijs at isc.org
Thu Apr 15 06:56:44 UTC 2021
On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
> On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>> Does anyone have an automated KSK roll process, that checks for the DS
>> record at the parent, that they can share?
>>
>> As far as I can tell, the automated signing in BIND will roll the KSK if I
>> set the timing in the policy file, but it won't check the DS record, so it
>> will happily break DNSSEC if some other process does not update the DS
>> record at the right time. That's too big a risk for me, the process needs
>> to check the DS record before completing the KSK roll. Surely someone has
>> done this. I would rather not reinvent the wheel. But I have searched and
>> not found anything yet.
>>
> As I understand it, the way it works now is that the actual KSK rollover won't occur until you execute `rndc dnssec -checkds ...` [1].
That is correct.
> I'm hopeful that named will fully automate this check at some point soon.
It is on the roadmap:
https://gitlab.isc.org/isc-projects/bind9/-/issues/1126
- Matthijs
> [1] <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>
>
More information about the bind-users
mailing list