CDNSKEY / CDS for key is now published - but why?

Danilo Godec danilo.godec at agenda.si
Thu Oct 3 11:39:25 UTC 2024 

Thanks,

so patience is really the name of the game here. )


One more question, if I may - I noticed that the serial number in signed 
zone gets 'out-of-sync' compared to my source text zone file. I guess 
that happens when Bind publishes CDS / CDNSKEY records etc.

Is the serial number in my source text zone file still relevant? If it 
is, I suppose increasing it by one is no longer good enough - I probably 
need to check the actual SOA and then use that as 'base' and increase 
that by 1, right?


    Regards,

     Danilo




On 2. 10. 24 15:13, Matthijs Mekking wrote:
> Hi,
>
> The change from rumoured to omnipresent is TTL dependent. To be 
> precise: it is the sum of the configured parent-ds-ttl, 
> parent-propagation-delay, and retire-safety.
>
> - Matthijs
>
> On 10/2/24 14:55, Danilo Godec via bind-users wrote:
>> Hi Matthijs,
>>
>>
>> thanks,  that explains a bunch.
>>
>> I checked both domain with '/rndc dnssec -status/' and they do show 
>> different states:
>>
>> # rndc dnssec -status psihopat.si
>> dnssec-policy: nsec3_no_rotate
>> current time:  Wed Oct  2 14:25:31 2024
>>
>> key: 37651 (ECDSAP256SHA256), ZSK
>>    published:      yes - since Tue Oct  1 20:23:24 2024
>>    zone signing:   yes - since Tue Oct  1 20:23:24 2024
>>
>>    No rollover scheduled
>>    - goal:           omnipresent
>>    - dnskey:         omnipresent
>> *- zone rrsig: rumoured*
>>
>> key: 7162 (ECDSAP256SHA256), KSK
>>    published:      yes - since Tue Oct  1 20:23:24 2024
>>    key signing:    yes - since Tue Oct  1 20:23:24 2024
>>
>>    No rollover scheduled
>>    - goal:           omnipresent
>>    - dnskey:         omnipresent
>> *- ds: hidden*
>>    - key rrsig:      omnipresent
>>
>>
>> # rndc dnssec -status sociopat.si
>> dnssec-policy: nsec3_no_rotate
>> current time:  Wed Oct  2 14:25:34 2024
>>
>> key: 17354 (ECDSAP256SHA256), ZSK
>>    published:      yes - since Tue Oct  1 10:09:53 2024
>>    zone signing:   yes - since Tue Oct  1 10:09:53 2024
>>
>>    No rollover scheduled
>>    - goal:           omnipresent
>>    - dnskey:         omnipresent
>>    - zone rrsig:     omnipresent
>>
>> key: 61220 (ECDSAP256SHA256), KSK
>>    published:      yes - since Tue Oct  1 10:09:53 2024
>>    key signing:    yes - since Tue Oct  1 10:09:53 2024
>>
>>    No rollover scheduled
>>    - goal:           omnipresent
>>    - dnskey:         omnipresent
>> *- ds: rumoured*
>>    - key rrsig:      omnipresent
>>
>>
>> So I ran /rndc dnssec -checkds published**/for both zones:
>>
>> # rndc dnssec -checkds published sociopat.si
>> Marked DS as published since 02-Oct-2024 14:33:33.000
>>
>> # rndc dnssec -checkds published legenda.si
>> Marked DS as published since 02-Oct-2024 14:33:47.000
>>
>> That changed KSK DS state from *hidden* to *rumoured* for 
>> psihopat.si, but made no change to sociopat.si.
>>
>>
>> Should the change be immediate or is it also TTL dependent?
>>
>>
>>
>>     Regards,
>>
>>     Danilo
>>

More information about the bind-users mailing list