CDNSKEY / CDS for key is now published - but why?

Danilo Godec danilo.godec at agenda.si
Wed Oct 2 09:58:22 UTC 2024 

Hi all,

yesterday I filled my day fiddling with DNSSEC for a couple of my test 
domains - both have been signed 'manually' before, but I haven't 
published the DS record.


So yesterday I setup both for dnssec-policy, while also changing the 
signing algorithm and keys (basically started from scratch):

dnssec-policy "nsec3_no_rotate" {
         keys {
                 ksk key-directory lifetime unlimited algorithm 13;
                 zsk key-directory lifetime unlimited algorithm 13;
         };
         nsec3param iterations 0 optout false;
};

...

         zone "sociopat.si" {
                 type master;
                 file "master/Danci/sociopat.si.hosts";
                 key-directory "master/Danci/keys";
                 dnssec-policy "nsec3_no_rotate";
                 inline-signing yes;
         };

         zone "psihopat.si" {
                 type master;
                 file "master/Danci/psihopat.si.hosts";
                 key-directory "master/Danci/keys";
                 dnssec-policy "nsec3_no_rotate";
                 inline-signing yes;
         };
...


I published DS records through my registrar and after a couple of hours 
all seemed fine - both Verisign dnssec-analyzer and DNSViz show no 
errors or warnings for them.


However, today bind logged this:

named[17379]: general: info: CDNSKEY for key sociopat.si/ECDSAP256SHA256/61220 is now published
named[17379]: general: info: CDS for key sociopat.si/ECDSAP256SHA256/61220 is now published


I'm pretty sure this is not bad or wrong, but I would like to sort-of 
understand, why Bind decided it needs to publish CDS / CDNSKEY for this 
one and not the other one, given that DS records are published in ccTLDs:

# dig ds sociopat.si
;; QUESTION SECTION:
;sociopat.si.                   IN      DS

;; ANSWER SECTION:
sociopat.si.            5826    IN      DS      61220 13 2 D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730 616F92AD


# dig ds psihopat.si

;; QUESTION SECTION:
;psihopat.si.                   IN      DS

;; ANSWER SECTION:
psihopat.si.            7200    IN      DS      7162 13 2 3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F 90F21CD8


Also, as far as I know, .si DNS servers don't support CDS / CDNSKEY, so 
publishing them might be futile.


   Regards,

    Danilo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241002/4e713c61/attachment.htm>

More information about the bind-users mailing list