[DNSSEC] testing KASP

Matthijs Mekking matthijs at isc.org
Fri May 17 13:12:46 UTC 2024 

Hi,

On 5/16/24 14:02, adrien sipasseuth wrote:
> Hello,
> 
> I try to set up a testing environment in order to create some scripts 
> for automated the roll over KSK.
> 
> ############# question 1 #############
> this is my policy :
> 
> dnssec-policy "test" {
>      keys {
>          ksk lifetime P3D algorithm ecdsa256 2048;
>          zsk lifetime P1D algorithm ecdsa256 2048;
>      };
> 
>      // Key timings
>      purge-keys P4D;
> 
>      // Signature timings
>      signatures-refresh  PT50M;
>      signatures-validity PT1H;
>      signatures-validity-dnskey PT1H;
> 
>      // Zone parameters
>      max-zone-ttl PT1H;
>      parent-ds-ttl PT1H;
> 
> };
> 
> I would like automaticly update new DS to my registar, to do it this my 
> logic :
> 
> For each file en .state
>      If is KSK with "DSState: rumoured" or "DSState: hidden"
>          If not in my registar (dig ds <my_zone> +dnssec +multiline)
>              Publish on my Registar(api register)
>              Notify Bind(bind rndc dnssec -checkds -key <ID> published 
> <my_zone>)

Only if KSK has DSState: rumoured. If the DSState is hidden it means 
that it is not expected to be in the parent (for example because the 
DNSKEY has not yet been fully propagated).


> Do y need to withdraw the old key too immediatly ? anything else to do ?

Do you mean withdraw the old DS?

I would use similar logic but then use "unretentive" instead of 
"rumoured". Following the example above:

For each file en .state
       If is KSK with "DSState: unretentive"
           If in my registar (dig ds <my_zone> +dnssec +multiline)
               Withdraw on my Registar(api register)
               Notify Bind(bind rndc dnssec -checkds -key <ID> withdrawn


> ############# question 2 #############
> If i want to unsigned a zone, i change my policy to "insecure" which is 
> default but file like <my_zone>.signed still exist, Bind doesn't remove it ?

Correct. If all DNSSEC records have been removed, it is safe to remove 
the "dnssec-policy" configuration from your named.conf and then remove 
the .signed file.

Unsigning your zone also takes time.


> ############# question 3 #############
> 
> In state file, when the remove date issue, can i just remove the key, 
> anything else to do ?

When all states are "hidden" it is safe to remove the key.

Best regards,

Matthijs


> Regards,
> Adrien SIPASSEUTH
> 
> 
>

More information about the bind-users mailing list