<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi Matthijs,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">thanks, that explains a bunch.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I checked both domain with '<i>rndc
dnssec -status</i>' and they do show different states:</div>
<div class="moz-cite-prefix">
<pre># rndc dnssec -status psihopat.si
dnssec-policy: nsec3_no_rotate
current time: Wed Oct 2 14:25:31 2024
key: 37651 (ECDSAP256SHA256), ZSK
published: yes - since Tue Oct 1 20:23:24 2024
zone signing: yes - since Tue Oct 1 20:23:24 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
<b> - zone rrsig: rumoured</b>
key: 7162 (ECDSAP256SHA256), KSK
published: yes - since Tue Oct 1 20:23:24 2024
key signing: yes - since Tue Oct 1 20:23:24 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
<b> - ds: hidden</b>
- key rrsig: omnipresent
# rndc dnssec -status sociopat.si
dnssec-policy: nsec3_no_rotate
current time: Wed Oct 2 14:25:34 2024
key: 17354 (ECDSAP256SHA256), ZSK
published: yes - since Tue Oct 1 10:09:53 2024
zone signing: yes - since Tue Oct 1 10:09:53 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 61220 (ECDSAP256SHA256), KSK
published: yes - since Tue Oct 1 10:09:53 2024
key signing: yes - since Tue Oct 1 10:09:53 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
<b> - ds: rumoured</b>
- key rrsig: omnipresent
</pre>
</div>
<div class="moz-cite-prefix"><br>
</div>
So I ran <i>rndc dnssec -checkds published<b> </b></i>for both
zones:<br>
<pre># rndc dnssec -checkds published sociopat.si
Marked DS as published since 02-Oct-2024 14:33:33.000
# rndc dnssec -checkds published legenda.si
Marked DS as published since 02-Oct-2024 14:33:47.000
</pre>
<div class="moz-cite-prefix">That changed KSK DS state from <b>hidden</b>
to <b>rumoured</b> for psihopat.si, but made no change to
sociopat.si.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Should the change be immediate or is it
also TTL dependent?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> Regards,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"> Danilo</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2. 10. 24 13:10, Matthijs Mekking
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:873afcc1-99ad-4bd7-97a3-e51678f6f6d6@isc.org">Hi Danilo,
<br>
<br>
When you enable DNSSEC for the first time, first the DNSKEY and
the signatures need to be introduced in the zone, and propagated
to the world. The propagation depends on the TTL values, and these
are derived from the dnssec-policy configuration. By default it
takes more than a day because of max-zone-ttl is set to 86400.
<br>
<br>
Only then it is fully safe to publish the DS, so at that point
BIND will publish the CDS/CDNSKEY records.
<br>
<br>
Note that this long delay is only when you enable DNSSEC, key
rollovers only need to take the DNSKEY TTL into account (plus some
safety and propagation values).
<br>
<br>
So you submitted the DS too soon. Luckily the delay on the first
sign is pretty conservative and your zones appear to be fine after
publishing the DS. But in an automated way (CDS polling), the DS
would have been submitted later than you did.
<br>
<br>
Three more comments:
<br>
<br>
<br>
1.
<br>
> I thought that Bind checks the DS on the parent and only
publishes CDS > / CDNSKEY if DS doesn't exist or is in some way
different.
<br>
<br>
No. The CDS/CDNSKEY RRset is published and won't be removed from
the zone.
<br>
<br>
The RFC says that when the Parent DS is in sync with the
CDS/CDNSKEY RRset, the Child DNS Operator MAY delete the
CDS/CDNSKEY RRset.
<br>
<br>
We chose not to do so, because it can be handy to see what the DS
records in the parent should be given what CDS/CDNSKEY RRset is
published in the child zone.
<br>
<br>
<br>
2.
<br>
Depending on your configuration, BIND will check if the DS is
actually in the parent zone. If it does not, you have to check it
manually and tell BIND with the 'rndc dnssec -checkds' command.
Otherwise, the DS may stay in the "Rumoured" state indefinitely,
and this can influence future key rollovers.
<br>
<br>
<br>
3.
<br>
You can use the options 'cds-digest-types' and 'cdnskey' to set
what RRsets need to be published.
<br>
<br>
<br>
Hope this helps, best regards,
<br>
<br>
Matthijs
<br>
<br>
<br>
On 10/2/24 12:42, Danilo Godec via bind-users wrote:
<br>
<blockquote type="cite">Hi Greg,
<br>
<br>
thanks for the answer.
<br>
<br>
I knew that CDS and CDNSKEY are just in my own zone and (as far
as I understand), serve to inform the parent DNS about
(upcoming?) changes in DS / DNSKEY records. I'm not quite sure
about establishing the initial trust with the parent, but as our
ccTLD parent DNS doesn't support CDS / CDNSKEY it's not a big
deal anyway.
<br>
<br>
<br>
What I don't understand is why Bind published CDS / CDNSKEY just
for one of two very similar domains? Initially I thought that
Bind checks the DS on the parent and only publishes CDS /
CDNSKEY if DS doesn't exist or is in some way different.
<br>
<br>
<br>
<br>
Regards,
<br>
<br>
Danilo
<br>
<br>
<br>
<br>
On 2. 10. 24 12:19, Greg Choules wrote:
<br>
<blockquote type="cite">Hi Danilo.
<br>
The CDS and CDNSKEY are published in your own zone, not
anywhere else. You can confirm this by doing a dig for them
directly, or AXFR if you permit transfers on your server.
<br>
<br>
They are intended for use with registrars that *do* support
automatic DS creation using one of them. If yours doesn't and
you already published your DS in the parent, then no big deal.
The CDS and CDNSKEY will just sit in your zone and you don't
have to do anything with them.
<br>
<br>
Does that help?
<br>
Cheers, Greg
<br>
<br>
On Wed, 2 Oct 2024 at 10:58, Danilo Godec via bind-users
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a> wrote:
<br>
<br>
Hi all,
<br>
<br>
yesterday I filled my day fiddling with DNSSEC for a
couple of my
<br>
test domains - both have been signed 'manually' before,
but I
<br>
haven't published the DS record.
<br>
<br>
<br>
So yesterday I setup both for dnssec-policy, while also
changing
<br>
the signing algorithm and keys (basically started from
scratch):
<br>
<br>
dnssec-policy "nsec3_no_rotate" {
<br>
keys {
<br>
ksk key-directory lifetime unlimited
algorithm 13;
<br>
zsk key-directory lifetime unlimited
algorithm 13;
<br>
};
<br>
nsec3param iterations 0 optout false;
<br>
};
<br>
<br>
...
<br>
<br>
zone "sociopat.si <a class="moz-txt-link-rfc2396E" href="http://sociopat.si"><http://sociopat.si></a>" {
<br>
type master;
<br>
file "master/Danci/sociopat.si.hosts";
<br>
key-directory "master/Danci/keys";
<br>
dnssec-policy "nsec3_no_rotate";
<br>
inline-signing yes;
<br>
};
<br>
<br>
zone "psihopat.si <a class="moz-txt-link-rfc2396E" href="http://psihopat.si"><http://psihopat.si></a>" {
<br>
type master;
<br>
file "master/Danci/psihopat.si.hosts";
<br>
key-directory "master/Danci/keys";
<br>
dnssec-policy "nsec3_no_rotate";
<br>
inline-signing yes;
<br>
};
<br>
...
<br>
<br>
<br>
I published DS records through my registrar and after a
couple of
<br>
hours all seemed fine - both Verisign dnssec-analyzer and
DNSViz
<br>
show no errors or warnings for them.
<br>
<br>
<br>
However, today bind logged this:
<br>
<br>
named[17379]: general: info: CDNSKEY for
keysociopat.si/ECDSAP256SHA256/61220
<a class="moz-txt-link-rfc2396E" href="http://sociopat.si/ECDSAP256SHA256/61220"><http://sociopat.si/ECDSAP256SHA256/61220></a> is now
published
<br>
named[17379]: general: info: CDS for
keysociopat.si/ECDSAP256SHA256/61220
<a class="moz-txt-link-rfc2396E" href="http://sociopat.si/ECDSAP256SHA256/61220"><http://sociopat.si/ECDSAP256SHA256/61220></a> is now
published
<br>
<br>
<br>
I'm pretty sure this is not bad or wrong, but I would like
to
<br>
sort-of understand, why Bind decided it needs to publish
CDS /
<br>
CDNSKEY for this one and not the other one, given that DS
records
<br>
are published in ccTLDs:
<br>
<br>
# dig dssociopat.si <a class="moz-txt-link-rfc2396E" href="http://sociopat.si"><http://sociopat.si></a>
<br>
;; QUESTION SECTION:
<br>
;sociopat.si
<a class="moz-txt-link-rfc2396E" href="http://sociopat.si"><http://sociopat.si></a>. IN DS
<br>
<br>
;; ANSWER SECTION:
<br>
sociopat.si <a class="moz-txt-link-rfc2396E" href="http://sociopat.si"><http://sociopat.si></a>.
5826 IN DS 61220 13 2
D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730
616F92AD
<br>
<br>
<br>
# dig dspsihopat.si <a class="moz-txt-link-rfc2396E" href="http://psihopat.si"><http://psihopat.si></a>
<br>
<br>
;; QUESTION SECTION:
<br>
;psihopat.si
<a class="moz-txt-link-rfc2396E" href="http://psihopat.si"><http://psihopat.si></a>. IN DS
<br>
<br>
;; ANSWER SECTION:
<br>
psihopat.si <a class="moz-txt-link-rfc2396E" href="http://psihopat.si"><http://psihopat.si></a>.
7200 IN DS 7162 13 2
3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F
90F21CD8
<br>
<br>
<br>
Also, as far as I know, .si DNS servers don't support CDS
/
<br>
CDNSKEY, so publishing them might be futile.
<br>
<br>
<br>
Regards,
<br>
<br>
Danilo
<br>
<br>
<br>
-- Visit
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
<br>
unsubscribe from this list
<br>
<br>
ISC funds the development of this software with paid
support
<br>
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a>
for more
<br>
information.
<br>
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
</blockquote>
<br>
</blockquote>
</blockquote>
<div class="moz-signature">
<div></div>
</div>
</body>
</html>