CDNSKEY / CDS for key is now published - but why?

Matthijs Mekking matthijs at isc.org
Fri Oct 4 11:45:05 UTC 2024 

Hi Danilo,

Assuming from your message you are using inline-signing, where the 
unsigned and signed zone are maintained separately. If so, you should be 
able to make changes to the zone file and just bump the serial in the 
unsigned zone and the changes should be picked up.

Best regards,

Matthijs

On 10/3/24 13:39, Danilo Godec via bind-users wrote:
> Thanks,
> 
> so patience is really the name of the game here. )
> 
> 
> One more question, if I may - I noticed that the serial number in signed 
> zone gets 'out-of-sync' compared to my source text zone file. I guess 
> that happens when Bind publishes CDS / CDNSKEY records etc.
> 
> Is the serial number in my source text zone file still relevant? If it 
> is, I suppose increasing it by one is no longer good enough - I probably 
> need to check the actual SOA and then use that as 'base' and increase 
> that by 1, right?
> 
> 
>     Regards,
> 
>      Danilo
> 
> 
> 
> 
> On 2. 10. 24 15:13, Matthijs Mekking wrote:
>> Hi,
>>
>> The change from rumoured to omnipresent is TTL dependent. To be 
>> precise: it is the sum of the configured parent-ds-ttl, 
>> parent-propagation-delay, and retire-safety.
>>
>> - Matthijs
>>
>> On 10/2/24 14:55, Danilo Godec via bind-users wrote:
>>> Hi Matthijs,
>>>
>>>
>>> thanks,  that explains a bunch.
>>>
>>> I checked both domain with '/rndc dnssec -status/' and they do show 
>>> different states:
>>>
>>> # rndc dnssec -status psihopat.si
>>> dnssec-policy: nsec3_no_rotate
>>> current time:  Wed Oct  2 14:25:31 2024
>>>
>>> key: 37651 (ECDSAP256SHA256), ZSK
>>>    published:      yes - since Tue Oct  1 20:23:24 2024
>>>    zone signing:   yes - since Tue Oct  1 20:23:24 2024
>>>
>>>    No rollover scheduled
>>>    - goal:           omnipresent
>>>    - dnskey:         omnipresent
>>> *- zone rrsig: rumoured*
>>>
>>> key: 7162 (ECDSAP256SHA256), KSK
>>>    published:      yes - since Tue Oct  1 20:23:24 2024
>>>    key signing:    yes - since Tue Oct  1 20:23:24 2024
>>>
>>>    No rollover scheduled
>>>    - goal:           omnipresent
>>>    - dnskey:         omnipresent
>>> *- ds: hidden*
>>>    - key rrsig:      omnipresent
>>>
>>>
>>> # rndc dnssec -status sociopat.si
>>> dnssec-policy: nsec3_no_rotate
>>> current time:  Wed Oct  2 14:25:34 2024
>>>
>>> key: 17354 (ECDSAP256SHA256), ZSK
>>>    published:      yes - since Tue Oct  1 10:09:53 2024
>>>    zone signing:   yes - since Tue Oct  1 10:09:53 2024
>>>
>>>    No rollover scheduled
>>>    - goal:           omnipresent
>>>    - dnskey:         omnipresent
>>>    - zone rrsig:     omnipresent
>>>
>>> key: 61220 (ECDSAP256SHA256), KSK
>>>    published:      yes - since Tue Oct  1 10:09:53 2024
>>>    key signing:    yes - since Tue Oct  1 10:09:53 2024
>>>
>>>    No rollover scheduled
>>>    - goal:           omnipresent
>>>    - dnskey:         omnipresent
>>> *- ds: rumoured*
>>>    - key rrsig:      omnipresent
>>>
>>>
>>> So I ran /rndc dnssec -checkds published**/for both zones:
>>>
>>> # rndc dnssec -checkds published sociopat.si
>>> Marked DS as published since 02-Oct-2024 14:33:33.000
>>>
>>> # rndc dnssec -checkds published legenda.si
>>> Marked DS as published since 02-Oct-2024 14:33:47.000
>>>
>>> That changed KSK DS state from *hidden* to *rumoured* for 
>>> psihopat.si, but made no change to sociopat.si.
>>>
>>>
>>> Should the change be immediate or is it also TTL dependent?
>>>
>>>
>>>
>>>     Regards,
>>>
>>>     Danilo
>>>

More information about the bind-users mailing list