Ask for automated KSK roll with DS checking
matthijs at isc.org
Fri Apr 16 06:13:50 UTC 2021
On 15-04-2021 18:44, Tony Finch wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
>> On 15-04-2021 16:35, Bob Harold wrote:
>>> If BIND holds both the child and parent zone, will it add the DS record
>>> at the correct time? Or do I still need to write scripts to update the
>>> DS records in all my sub-zones? And is there some signal from BIND at
>>> the time the DS record should be written, or do i need to calculate the
>>> right time?
>> Currently you still have to write scripts to update DS records in all
>> your parent zones.
>> The CDS/CDNSKEY records are published in the child zones that indicate
>> the DS should be published, so I would script against that.
>> Then when the DS is seen in the parent, call the rndc dnssec -checkds
>> published/withdrawn command.
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
After you have issued the 'rndc dnssec -checkds published' command
(which should be done only if you have seen the DS in the parent), BIND
will wait for 'parent-ds-ttl' plus 'parent-propagation-delay' plus
'retire-safety' before actually considering the DS omnipresent. The DS
needs to be omnipresent before the predecessor DNSKEY may be removed.
The defaults for these values are 1 day, 1 hour, and 1 hour. So after
running the 'rndc dnssec -checkds published' command, by default the
rollover will continue 26 hours later.
You should set these parameters to whatever your parent zone is using.
You should set the 'retire-safety' delay to whatever you feel
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users