BIND-9.16.1 & KASP
Mark Elkins
mje at posix.co.za
Mon Apr 13 12:22:53 UTC 2020
Hi all,
I have been experimenting with BIND-9.16.1 & KASP. So far - it really
looks great and it should greatly simplify DNSSEC for the masses.
My named.conf entry:-
dnssec-policy "ecdsa256-policy" {
dnskey-ttl 3600;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime 34d algorithm ecdsa256;
};
};
zone "smtp.co.za" {
type master;
file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";
key-directory "/etc/ns.d/pri/smtp.co.za/keys";
dnssec-policy "ecdsa256-policy";
};
My experimental zone (smtp.co.za) is still waiting the initial period of
(I think) about 25 hours since setup so no CDS records in the zone yet -
but I do have two new unknown records. From the command:-
dig @localhost smtp.co.za axfr | grep -v RRSIG
smtp.co.za. 1200 IN SOA jekyll.smtp.co.za.
dns-admin.posix.co.za. 2018091104 86400 10800 604800 600
smtp.co.za. 0 IN TYPE65534 \# 5 0D0D740001
smtp.co.za. 0 IN TYPE65534 \# 5 0D1BDA0001
smtp.co.za. 3600 IN DNSKEY 256 3 13
Rty3kVtsujkbxhKfvVP/xaK2vKetLwBxW9cd0M0GxrpIh8PdvAoTC8us
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==
smtp.co.za. 3600 IN DNSKEY 257 3 13
LlDBhlTpPzo7/8hgaIe8AursP216+EuqYjwO23k8dlmIFqKRUEspMPHP
jKcqBWrSkoiKbxI2IcbSECynYrehAA==
smtp.co.za. 1200 IN A 196.43.2.142
...
In my own web management interface, it collects the KSK DNSKEY and
generates its own CDS - which it then EPP's up to the parent. That all
got done late last night - so the zone is secure (asking 1.1.1.1 - AD is
set and correct data returns).
Question - What are the "TYPE65534" records? What are they saying? I am
using "DiG 9.16.1" so surprised it doesn't know.
My zones '$TTL' is 1200... so I would have thought the CDS record would
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I
thought the biggest delay factor is the zones $TTL, often set to one day.
Looks like the SOA Serial Number still needs to be maintained manually.
Was expecting a more OpenDNSSEC approach. Would love an automated
YYYYMMDDxx number - date it was last 'modified'. Would be perfect for
small zones that are rarely updated.
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200413/d0278512/attachment.htm>
More information about the bind-users
mailing list