key signing
Alan Batie
alan at peak.org
Tue Mar 10 23:29:47 UTC 2020
On 3/10/20 4:03 PM, Mark Andrews wrote:
> Firstly don’t blindly add DS records without first checking that the DNSKEYs
> they refer to are published. DNSSEC is less tolerant of operator error and
> sometimes things go wrong. There are lots of “wait until …” in managing DNSSEC
> and if you don’t wait DNSSEC validations will fail as a result as you have seen.
I have been trying to figure out a good way to validate that everything
is ready for the DS record to be published - a "zone_test" script, but
that's a separate issue.
> I see the following which indicates to me that 9675 is published but not active
> and 28998 is published and active.
Yes, those are both zone signing keys (migrating from sha1 to sha256)
> [beetle:~/git/bind9] marka%
>
> and with the following DS records there isn’t secure path.
>
> cascocom.com. 85427 IN DS 9675 5 2 EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234
> cascocom.com. 85427 IN DS 30841 8 2 E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C
>
> now I don’t know exactly what you did but detected error will have been logged.
I'm not sure how a DS record for 9675 got generated, as that's a zsk?
It might be better to wipe everything for this zone and start over as I
seem to have done something that got it very confused.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200310/790ac078/attachment.bin>
More information about the bind-users
mailing list