Ask for automated KSK roll with DS checking
Matthijs Mekking
matthijs at isc.org
Fri Apr 16 06:13:50 UTC 2021
On 15-04-2021 18:44, Tony Finch wrote:
> Matthijs Mekking <matthijs at isc.org> wrote:
>> On 15-04-2021 16:35, Bob Harold wrote:
>>>
>>> If BIND holds both the child and parent zone, will it add the DS record
>>> at the correct time? Or do I still need to write scripts to update the
>>> DS records in all my sub-zones? And is there some signal from BIND at
>>> the time the DS record should be written, or do i need to calculate the
>>> right time?
>>
>> Currently you still have to write scripts to update DS records in all
>> your parent zones.
>>
>> The CDS/CDNSKEY records are published in the child zones that indicate
>> the DS should be published, so I would script against that.
>>
>> Then when the DS is seen in the parent, call the rndc dnssec -checkds
>> published/withdrawn command.
>
> dnssec-cds can tell you what the parental DS record(s) should be. It
> can maintain a dsset file for each child zone that you can $INCLUDE in the
> parent. It's fairly bare so it needs to be wrapped with a script that does
> the necessary queries and updates.
>
> I don't know if the dnssec-policy stuff includes timing parameters or
> checks to protect against parental publication delays; if not then the
> wrapper script will have to keep track of time or poll the parent servers
> or something.
It does.
After you have issued the 'rndc dnssec -checkds published' command
(which should be done only if you have seen the DS in the parent), BIND
will wait for 'parent-ds-ttl' plus 'parent-propagation-delay' plus
'retire-safety' before actually considering the DS omnipresent. The DS
needs to be omnipresent before the predecessor DNSKEY may be removed.
The defaults for these values are 1 day, 1 hour, and 1 hour. So after
running the 'rndc dnssec -checkds published' command, by default the
rollover will continue 26 hours later.
You should set these parameters to whatever your parent zone is using.
You should set the 'retire-safety' delay to whatever you feel
comfortable with.
Best regards,
Matthijs
>
> Tony.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list