<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi all,</p>
<p>I have been experimenting with BIND-9.16.1 & KASP. So far -
it really looks great and it should greatly simplify DNSSEC for
the masses.</p>
<p>My named.conf entry:-</p>
<p>dnssec-policy "ecdsa256-policy" {<br>
dnskey-ttl 3600;<br>
keys {<br>
ksk lifetime unlimited algorithm ecdsa256;<br>
zsk lifetime 34d algorithm ecdsa256;<br>
};<br>
};<br>
<br>
zone "smtp.co.za" {<br>
type master;<br>
file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";<br>
key-directory "/etc/ns.d/pri/smtp.co.za/keys";<br>
dnssec-policy "ecdsa256-policy";<br>
};<br>
<br>
</p>
<p>My experimental zone (smtp.co.za) is still waiting the initial
period of (I think) about 25 hours since setup so no CDS records
in the zone yet - but I do have two new unknown records. From the
command:-<br>
dig @localhost smtp.co.za axfr | grep -v RRSIG<br>
</p>
<p>smtp.co.za. 1200 IN SOA jekyll.smtp.co.za.
dns-admin.posix.co.za. 2018091104 86400 10800 604800 600<br>
smtp.co.za. 0 IN TYPE65534 \# 5 0D0D740001<br>
smtp.co.za. 0 IN TYPE65534 \# 5 0D1BDA0001<br>
smtp.co.za. 3600 IN DNSKEY 256 3 13
Rty3kVtsujkbxhKfvVP/xaK2vKetLwBxW9cd0M0GxrpIh8PdvAoTC8us
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==<br>
smtp.co.za. 3600 IN DNSKEY 257 3 13
LlDBhlTpPzo7/8hgaIe8AursP216+EuqYjwO23k8dlmIFqKRUEspMPHP
jKcqBWrSkoiKbxI2IcbSECynYrehAA==<br>
smtp.co.za. 1200 IN A 196.43.2.142<br>
...</p>
<p>In my own web management interface, it collects the KSK DNSKEY
and generates its own CDS - which it then EPP's up to the parent.
That all got done late last night - so the zone is secure (asking
1.1.1.1 - AD is set and correct data returns).<br>
</p>
<p>Question - What are the "TYPE65534" records? What are they
saying? I am using "DiG 9.16.1" so surprised it doesn't know.<br>
</p>
<p>My zones '$TTL' is 1200... so I would have thought the CDS record
would have appeared by now.<br>
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours
later. I thought the biggest delay factor is the zones $TTL, often
set to one day.<br>
</p>
<p>Looks like the SOA Serial Number still needs to be maintained
manually. Was expecting a more OpenDNSSEC approach. Would love an
automated YYYYMMDDxx number - date it was last 'modified'. Would
be perfect for small zones that are rarely updated.<br>
</p>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<br>
</p>
</div>
</body>
</html>