Ask for automated KSK roll with DS checking
Matthijs Mekking
matthijs at isc.org
Thu Apr 15 14:59:37 UTC 2021
On 15-04-2021 16:35, Bob Harold wrote:
>
> On Thu, Apr 15, 2021 at 8:50 AM Bob Harold <rharolde at umich.edu
> <mailto:rharolde at umich.edu>> wrote:
>
>
> On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matthijs at isc.org
> <mailto:matthijs at isc.org>> wrote:
>
>
>
> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
> >> Does anyone have an automated KSK roll process, that checks
> for the DS
> >> record at the parent, that they can share?
> >>
> >> As far as I can tell, the automated signing in BIND will
> roll the KSK if I
> >> set the timing in the policy file, but it won't check the DS
> record, so it
> >> will happily break DNSSEC if some other process does not
> update the DS
> >> record at the right time. That's too big a risk for me, the
> process needs
> >> to check the DS record before completing the KSK roll.
> Surely someone has
> >> done this. I would rather not reinvent the wheel. But I
> have searched and
> >> not found anything yet.
> >>
> > As I understand it, the way it works now is that the actual
> KSK rollover won't occur until you execute `rndc dnssec -checkds
> ...` [1].
>
> That is correct.
>
> > I'm hopeful that named will fully automate this check at some
> point soon.
>
> It is on the roadmap:
>
> https://gitlab.isc.org/isc-projects/bind9/-/issues/1126
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/1126>
>
> - Matthijs
>
>
> > [1]
> <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
> <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>>
> >
>
> Thank you both very much. I missed that, and I am testing with the
> RedHat RHEL7 version of BIND 9.11, which does not seem to wait.
> Looks like I will need to run a newer version of BIND, at least on
> my in-line signing server.
>
> --
> Bob Harold
> University of Michigan
>
>
> If BIND holds both the child and parent zone, will it add the DS record
> at the correct time? Or do I still need to write scripts to update the
> DS records in all my sub-zones? And is there some signal from BIND at
> the time the DS record should be written, or do i need to calculate the
> right time?
Currently you still have to write scripts to update DS records in all
your parent zones.
The CDS/CDNSKEY records are published in the child zones that indicate
the DS should be published, so I would script against that.
Then when the DS is seen in the parent, call the rndc dnssec -checkds
published/withdrawn command.
Best regards,
Matthijs
> --
> Bob Harold
More information about the bind-users
mailing list