[DNSSEC] testing KASP
Petr Špaček
pspacek at isc.org
Wed May 29 12:47:22 UTC 2024
On 29. 05. 24 11:31, adrien sipasseuth wrote:
> Only if KSK has DSState: rumoured. If the DSState is hidden it means
> that it is not expected to be in the parent (for example because the
> DNSKEY has not yet been fully propagated).
>
>
> > Do you need to withdraw the old key too immediatly ? anything else to
> do ?
>
> >>> Do you mean withdraw the old DS?
>
> Yes, the old DS should be not yet withdraw because some RRSIG could be
> still valid ? or can i withdraw the old DS / KSK immediatly ?
>
> In my logic :
> For each file en .state
> If is KSK with "DSState: rumoured" or "DSState: hidden"
> If not in my registar (dig ds <my_zone> +dnssec +multiline)
> Publish on my Registar(api register)
> Notify Bind(bind rndc dnssec -checkds -key <New ID KSK>
> published <my_zone>)
> Notify Bind(bind rndc dnssec -checkds -key <Old ID KSK>
> withdraw <my_zone>)
>
> In my understanding, i shouldn't do "Notify Bind(bind rndc dnssec
> -checkds -key <Old ID KSK> withdraw <my_zone>)" and wait until all RRSIG
> sign (with the old KSK) expire. In that case, how can i check this ?
> (some dig command ? or check state file for "DSState: unretentive" ?)
I think the best approach is to enable "checkds" feature and leave it up
to BIND to decide when it's safe to do next state transition. There
should not be a need to do the rndc magic.
See
https://bind9.readthedocs.io/en/latest/reference.html#automated-ksk-rollovers
and also
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents
I hope it helps.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list