FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Daniel Stirnimann
daniel.stirnimann at switch.ch
Fri Dec 21 14:28:59 UTC 2018
Hello Philippe,
> Is there a direct way to set the NSEC3PARAM?
No idea.
> Switch, the registry for .ch and .li domains is using/testing CDS
> records. Can I tell named, to create the CDS Records for me?
If your keys have appropriate timing metadata, then the CDS/CDNSKEY
records are published for your zones automatically:
See man dnssec-keygen
...
Timing options:
-P date/[+-]offset/none: set key publication date (default: now)
-P sync date/[+-]offset/none: set CDS and CDNSKEY publication date
-A date/[+-]offset/none: set key activation date (default: now)
-R date/[+-]offset/none: set key revocation date
-I date/[+-]offset/none: set key inactivation date
-D date/[+-]offset/none: set key deletion date
-D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date
or man dnssec-settime
> And every time I create or activate new keys, I have to manually add the
> CDS records, right?
Not if your keys have the appropriate timing metadata.
Daniel
--
SWITCH
More information about the bind-users
mailing list