<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>:-) Will let you know in a year!</p>
<p><br>
</p>
<p>ps - please, please keep the CDS's in the child zone - reflecting
the current KSK's! (etc)<br>
</p>
<div class="moz-cite-prefix">On 2022/11/24 09:50, Matthijs Mekking
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e879100f-e6f6-0dbc-13f5-e64a7297e166@isc.org">Hi,
<br>
<br>
I think this should work with some caveats.
<br>
<br>
First, If you migrate to dnssec-policy (that is the zone is
already signed), make sure that the key properties match the
current DNSKEYs.
<br>
<br>
Second is about your script:
<br>
<br>
> If the child looses a CDS record - my external script will
remove the
<br>
> corresponding DS record from the parent.
<br>
<br>
This is true for BIND 9, as it will publish the CDS for as long as
the DS should be in the parent. But it doesn't have to be the
case. The RFC (7344) says:
<br>
<br>
When the Parent DS is in sync with the CDS/CDNSKEY
<br>
RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY
RRset(s);
<br>
the Child can determine if this is the case by querying for DS
<br>
records in the Parent.
<br>
<br>
Personally I like to keep the CDS in the child zone, so you can
see if the parent is in sync, that is why I implemented it in BIND
9 to keep the CDS.
<br>
<br>
Best regards,
<br>
<br>
Matthijs
<br>
<br>
<br>
On 23-11-2022 18:24, Mark Elkins via bind-users wrote:
<br>
<blockquote type="cite">Hi people,
<br>
<br>
I have read
<a class="moz-txt-link-freetext" href="https://kb.isc.org/docs/dnssec-key-and-signing-policy">https://kb.isc.org/docs/dnssec-key-and-signing-policy</a>
<br>
<br>
I have put the following policy in my named.conf file:-
<br>
<br>
dnssec-policy "ecdsa256-policy" {
<br>
signatures-refresh 5d;
<br>
signatures-validity 14d;
<br>
signatures-validity-dnskey 14d;
<br>
dnskey-ttl 3600;
<br>
publish-safety 1h;
<br>
retire-safety 1h;
<br>
purge-keys 10d;
<br>
<br>
keys {
<br>
ksk lifetime 370d algorithm ecdsa256; // <----
this part in particular!
<br>
zsk lifetime 34d algorithm ecdsa256;
<br>
};
<br>
<br>
zone-propagation-delay 300s;
<br>
max-zone-ttl 86400s;
<br>
parent-propagation-delay 1h;
<br>
parent-ds-ttl 3600;
<br>
};
<br>
<br>
I also have some external code that goes trawling for CDS
records and puts into a parent whatever it finds in the child -
that in this case is signed with the above policy stanza.
<br>
<br>
If the child creates a new CDS - my external scripts will find
it and pop it into the parent as a DS record.
<br>
If the child looses a CDS record - my external script will
remove the corresponding DS record from the parent.
<br>
Basically - whatever is in the child as a CDS will be in the
parent as a DS.
<br>
A null CDS removes all DS records - but that's not my question.
<br>
<br>
Is there anything else I need to do? Any additional rndc's ??
<br>
<br>
-- <br>
<br>
Mark James ELKINS - Posix Systems - (South) Africa
<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: +27.826010496
<tel:+27826010496>
<br>
<br>
<br>
</blockquote>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<p>Mark James ELKINS - Posix Systems - (South) Africa<br>
<a class="moz-txt-link-abbreviated" href="mailto:mje@posix.co.za">mje@posix.co.za</a> Tel: <a href="tel:+27826010496">+27.826010496</a><br>
For fast, reliable, low cost Internet in ZA: <a
href="https://ftth.posix.co.za">https://ftth.posix.co.za</a><br>
<br>
<img moz-do-not-send="false"
src="cid:part3.A809D4AC.01E965D4@posix.co.za" alt="Posix
Systems" width="250" height="165"><img moz-do-not-send="false"
src="cid:part4.93FB7A7E.B9353B47@posix.co.za" alt="VCARD for
MJ Elkins" title="VCARD, Scan me please!" width="164"
height="164"><br>
</p>
</div>
</body>
</html>