Ask for automated KSK roll with DS checking
rharolde at umich.edu
Thu Apr 15 14:35:20 UTC 2021
On Thu, Apr 15, 2021 at 8:50 AM Bob Harold <rharolde at umich.edu> wrote:
> On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matthijs at isc.org> wrote:
>> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
>> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>> >> Does anyone have an automated KSK roll process, that checks for the DS
>> >> record at the parent, that they can share?
>> >> As far as I can tell, the automated signing in BIND will roll the KSK
>> if I
>> >> set the timing in the policy file, but it won't check the DS record,
>> so it
>> >> will happily break DNSSEC if some other process does not update the DS
>> >> record at the right time. That's too big a risk for me, the process
>> >> to check the DS record before completing the KSK roll. Surely someone
>> >> done this. I would rather not reinvent the wheel. But I have
>> searched and
>> >> not found anything yet.
>> > As I understand it, the way it works now is that the actual KSK
>> rollover won't occur until you execute `rndc dnssec -checkds ...` .
>> That is correct.
>> > I'm hopeful that named will fully automate this check at some point
>> It is on the roadmap:
>> - Matthijs
>> >  <
>> Thank you both very much. I missed that, and I am testing with the
> RedHat RHEL7 version of BIND 9.11, which does not seem to wait. Looks like
> I will need to run a newer version of BIND, at least on my in-line signing
> Bob Harold
> University of Michigan
If BIND holds both the child and parent zone, will it add the DS record at
the correct time? Or do I still need to write scripts to update the DS
records in all my sub-zones? And is there some signal from BIND at the
time the DS record should be written, or do i need to calculate the right
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users