AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+
Matthijs Mekking
matthijs at isc.org
Tue Aug 10 13:30:10 UTC 2021
Thanks, I got some more suggestions to improve the KB article, I'll
include yours to that list.
On 10-08-2021 15:28, Klaus Darilion wrote:
>> On 10-08-2021 13:38, Klaus Darilion wrote:
>>> Hi Matthijs!
>>>
>>>> We would like to encourage you to change your configurations to
>>>> 'dnssec-policy'. See this KB article for migration help:
>>>>
>>>> https://kb.isc.org/docs/dnssec-key-and-signing-policy
>>>
>>> Some comments to this KB article and dnssec-policy:
>>>
>>> - The article should mention how to retrieve the DS record from
>>> Bind.
>>
>> I am not sure what you are asking. Do you mean how to convert the DS
>> from the DNSKEY record so you can submit it to the registrar?
>
> Yes. By reading this KB I do not know how the user will be informed which DS (or DNSKEY) must be submitted to the parent zone. I know you to convert a DNSKEY to DS, but IMO the KB is very good but missest hat point.
>
>>> - How does Bind handle duplicate keyids when generating new keys?
>>> Will Bind ensure that there will not be any duplicate key ideas or
>>> will it just use the duplicate keys? In the latter case the " rndc
>>> dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an
>>> user perspective duplicate keyids should be avoided)
>>
>> BIND will check for key id collision. When a conflict (for the same
>> algorithm) is detected a new key will be generated.
>
> Thanks for the info, could be mentioned somewhere
> Klaus
>
More information about the bind-users
mailing list