DNSSEC ZSK rollover
Robert Senger
robert.senger at lists.microscopium.de
Fri Aug 28 17:24:23 UTC 2015
Hi all,
after upgrading from Debian Wheezy to Jessie, the dnssec-tools package
(including rollerd for automatic ZSK key rollover) is no longer
available.
So I've set up bind9 to do the signing:
zone "mydomain.de" in
{
type master;
auto-dnssec maintain;
inline-signing yes;
file "/etc/bind/zone.external.de.mydomain";
allow-transfer { key my-transfer-key; };
};
I added the required timing information to the ZSKs (P/A/I/D), and set
up a cron run script that generates the new keys for prepublication when
it's time.
It almost works as expected, but unlike ZSK rollover with rollerd, zones
are not completely resigned with the new ZSK upon it's activation.
Instead, every RR is resigned at separate times. It takes about a day or
so until all RR are signed with the new ZSK. The old ZSK is still
published in the zone, so there are no DNSSEC failures.
But this behaviour results in an IXFR zone transfer to the secondary
nameservers every time a RR is resigned.
Is that the intended behaviour, or do I miss a point to get the zones
resigned in one single action (and transfered with one single IXFR)
rather than getting each RR resigned separately?
Cheers,
Robert
--
Robert Senger
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list