<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Greg,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">thanks for the answer.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I knew that CDS and CDNSKEY are just in
my own zone and (as far as I understand), serve to inform the
parent DNS about (upcoming?) changes in DS / DNSKEY records. I'm
not quite sure about establishing the initial trust with the
parent, but as our ccTLD parent DNS doesn't support CDS / CDNSKEY
it's not a big deal anyway.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">What I don't understand is why Bind
published CDS / CDNSKEY just for one of two very similar domains?
Initially I thought that Bind checks the DS on the parent and only
publishes CDS / CDNSKEY if DS doesn't exist or is in some way
different.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> Regards,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> Danilo<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2. 10. 24 12:19, Greg Choules wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANsEUy1Ati0W7OeSwEnGYqo8q0Yi4ZjN2Yy6-JOnES6HPsiBQg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Danilo.
<div>The CDS and CDNSKEY are published in your own zone, not
anywhere else. You can confirm this by doing a dig for them
directly, or AXFR if you permit transfers on your server.</div>
<div><br>
</div>
<div>They are intended for use with registrars that *do* support
automatic DS creation using one of them. If yours doesn't and
you already published your DS in the parent, then no big deal.
The CDS and CDNSKEY will just sit in your zone and you don't
have to do anything with them.</div>
<div><br>
</div>
<div>Does that help?<br>
Cheers, Greg</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 2 Oct 2024 at 10:58,
Danilo Godec via bind-users <<a
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi all,</p>
<p>yesterday I filled my day fiddling with DNSSEC for a
couple of my test domains - both have been signed
'manually' before, but I haven't published the DS record.<br>
</p>
<p><br>
</p>
<p>So yesterday I setup both for dnssec-policy, while also
changing the signing algorithm and keys (basically started
from scratch):</p>
<pre>dnssec-policy "nsec3_no_rotate" {
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
};
nsec3param iterations 0 optout false;
};
...
zone "<a href="http://sociopat.si" target="_blank"
moz-do-not-send="true">sociopat.si</a>" {
type master;
file "master/Danci/sociopat.si.hosts";
key-directory "master/Danci/keys";
dnssec-policy "nsec3_no_rotate";
inline-signing yes;
};
zone "<a href="http://psihopat.si" target="_blank"
moz-do-not-send="true">psihopat.si</a>" {
type master;
file "master/Danci/psihopat.si.hosts";
key-directory "master/Danci/keys";
dnssec-policy "nsec3_no_rotate";
inline-signing yes;
};
...
</pre>
<p><br>
</p>
<p>I published DS records through my registrar and after a
couple of hours all seemed fine - both Verisign
dnssec-analyzer and DNSViz show no errors or warnings for
them.</p>
<p><br>
</p>
<p>However, today bind logged this:</p>
<pre>named[17379]: general: info: CDNSKEY for key <a
href="http://sociopat.si/ECDSAP256SHA256/61220"
target="_blank" moz-do-not-send="true">sociopat.si/ECDSAP256SHA256/61220</a> is now published
named[17379]: general: info: CDS for key <a
href="http://sociopat.si/ECDSAP256SHA256/61220"
target="_blank" moz-do-not-send="true">sociopat.si/ECDSAP256SHA256/61220</a> is now published
</pre>
<p><br>
</p>
<p>I'm pretty sure this is not bad or wrong, but I would
like to sort-of understand, why Bind decided it needs to
publish CDS / CDNSKEY for this one and not the other one,
given that DS records are published in ccTLDs:</p>
<pre># dig ds <a href="http://sociopat.si" target="_blank"
moz-do-not-send="true">sociopat.si</a>
;; QUESTION SECTION:
;<a href="http://sociopat.si" target="_blank" moz-do-not-send="true">sociopat.si</a>. IN DS
;; ANSWER SECTION:
<a href="http://sociopat.si" target="_blank" moz-do-not-send="true">sociopat.si</a>. 5826 IN DS 61220 13 2 D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730 616F92AD
# dig ds <a href="http://psihopat.si" target="_blank"
moz-do-not-send="true">psihopat.si</a>
;; QUESTION SECTION:
;<a href="http://psihopat.si" target="_blank" moz-do-not-send="true">psihopat.si</a>. IN DS
;; ANSWER SECTION:
<a href="http://psihopat.si" target="_blank" moz-do-not-send="true">psihopat.si</a>. 7200 IN DS 7162 13 2 3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F 90F21CD8
</pre>
<p><br>
</p>
<p>Also, as far as I know, .si DNS servers don't support CDS
/ CDNSKEY, so publishing them might be futile.<br>
</p>
<p><br>
</p>
<p> Regards,<br>
<br>
Danilo</p>
<p><br>
</p>
</div>
-- <br>
Visit <a
href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a
href="https://www.isc.org/contact/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
<div class="moz-signature">
<div><br>
Lep pozdrav / Best regards,<br>
--<br>
<table
style="background: none; border-width: 0px; border: 0px; margin: 0; padding: 0;"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <span style="font-weight: bold;">Danilo
Godec</span> | Sistemska podpora / System
Administration </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <span
style="font-weight: bold; color: #ed1c24">AGENDA
d.o.o.</span> | Ul. Pohorskega bataljona 49, Sl-2000
Maribor </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <span
style="font-weight: bold; color: #ed1c24">E:</span> <a
href="mailto:danilo.godec@agenda.si"
class="moz-txt-link-freetext"> danilo.godec@agenda.si
</a> | <span style="font-weight: bold; color: #ed1c24">T:</span>
+386 (0)2 421 61 31 </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif; padding-top: 12px;"
valign="top"> <a href="https://www.agenda.si/"> Agenda
OpenSystems </a> | Največji slovenski odprtokodni
integrator </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <a href="http://www.redhat.si/"> Red Hat
v Sloveniji </a> | Red Hat Premier Business Partner </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <a href="http://elasticbox.eu/">
ElasticBox </a> | Poslovne rešitve v oblaku </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif; padding-top: 22px; padding-bottom: 22px;"
valign="top"> <a style="border: 0"
href="https://www.agenda.si/"> <img
alt="Agenda d.o.o." style="border: 0"
src="cid:part1.VthVbzdo.lW9Z1vvw@agenda.si"> </a> </td>
</tr>
<tr>
<td
style="vertical-align: top; color: #666666; font-size: 12px; font-family: Arial, Helvetica, sans-serif;"
valign="top"> <a
href="https://www.agenda.si/index.php?id=228"> Izjava
o omejitvi odgovornosti / Legal disclaimer statement </a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</body>
</html>