ISC DNSSEC Guide - Working with the Parent Zone
Daniel Stirnimann
daniel.stirnimann at switch.ch
Wed Dec 23 08:53:22 UTC 2020
Hi all,
I'm testing the key rollover behavior of BIND 9.16 with the new
introduced "dnssec-policy" statement.
The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
"At the time of this writing (mid-2020) BIND does not check for the
presence of a DS record in the parent zone before completing the KSK or
CSK rollover and withdrawing the old key. Instead, you need to use the
rndc tool to tell named that the DS record has been published."
The last sentence that one has to tell named that the DS record has been
published is not what I'm observing. My tests show that BIND continues
(finishes) the key rollover. The use of the rndc tool is not required.
Is this an error in the documentation?
dnsviz output of the test domain:
badware.ch signed with key 39414 but no trust anchor in .ch yet:
https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
automatically picked up by CDS/CDNSKEY polling by the parent):
https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
badware.ch key rollover from key 39414 to key 6207 in progress:
https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
badware.ch previous key rollover finished. key 39414 is unused and will
be removed from the DNSKEY rrset soon. No "rndc" command has been used
to tell named to complete the key rollover.
Next key rollover started with the introduction of key 15769:
https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
DNSSEC Policy:
dnssec-policy "test" {
keys {
csk key-directory lifetime 7d algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
// Zone parameters
max-zone-ttl 3600;
zone-propagation-delay 300;
// Parent parameters
parent-ds-ttl 1h;
parent-propagation-delay 1h;
};
Thank you,
Daniel
[1]
https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
More information about the bind-users
mailing list