Ask for automated KSK roll with DS checking

Matthijs Mekking matthijs at isc.org
Fri Apr 16 06:13:50 UTC 2021 


On 15-04-2021 18:44, Tony Finch wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
>> On 15-04-2021 16:35, Bob Harold wrote:
>>>
>>> If BIND holds both the child and parent zone, will it add the DS record
>>> at the correct time?  Or do I still need to write scripts to update the
>>> DS records in all my sub-zones?  And is there some signal from BIND at
>>> the time the DS record should be written, or do i need to calculate the
>>> right time?
>>
>> Currently you still have to write scripts to update DS records in all
>> your parent zones.
>>
>> The CDS/CDNSKEY records are published in the child zones that indicate
>> the DS should be published, so I would script against that.
>>
>> Then when the DS is seen in the parent, call the rndc dnssec -checkds
>> published/withdrawn command.
> 
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
> 
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.

It does.

After you have issued the 'rndc dnssec -checkds published' command 
(which should be done only if you have seen the DS in the parent), BIND 
will wait for 'parent-ds-ttl' plus 'parent-propagation-delay' plus 
'retire-safety' before actually considering the DS omnipresent. The DS 
needs to be omnipresent before the predecessor DNSKEY may be removed.

The defaults for these values are 1 day, 1 hour, and 1 hour. So after 
running the 'rndc dnssec -checkds published' command, by default the 
rollover will continue 26 hours later.

You should set these parameters to whatever your parent zone is using. 
You should set the 'retire-safety' delay to whatever you feel 
comfortable with.

Best regards,

Matthijs


> 
> Tony.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list