How to prevent gratuitous publication of CDS/CDNSKEY records
Niall O'Reilly
niall.oreilly at ucd.ie
Thu Apr 14 11:59:50 UTC 2022
Hi.
Clue needed, please.
I’ve managed to migrate a number of zones from cron-driven signing
using homegrown scripts to automatic management by named, while
retaining the respective original KSK for each.
Following migration, ZSK:s have been replaced as might be expected,
since the keys were shorter than is nowadays recommended.
The old ZSK files are still lingering in the key-directory.
I’m seeing that fresh CDS and CDNSKEY are being generated, and
wonder why, as the CDS RDATA matches the parent CD RDATA. I’ve
deleted these using nsupdate, only to find them re-inserted
some time later.
Could it be significant that the parent DS TTL differs from that
of the local CDS?
One of the zones involved is foo.ie.
The server is running BIND 9.16.27-Ubuntu, installed from ppa:isc/bind.
Here below is the relevant dnssec-policy configuration fragment.
```
dnssec-policy persistent {
// This policy attempts to match or accommodate what zonefactory did
// and gives keys unrestricted lifetime
dnskey-ttl 3600;
keys {
ksk lifetime unlimited algorithm rsasha256;
zsk lifetime unlimited algorithm rsasha256;
};
max-zone-ttl 3600;
parent-ds-ttl 86400;
parent-propagation-delay 48h;
publish-safety 7d;
retire-safety 7d;
signatures-refresh 5d;
signatures-validity 30d;
signatures-validity-dnskey 30d;
zone-propagation-delay 2h;
};
```
Thanks in anticipation.
Niall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220414/43721f81/attachment-0001.htm>
More information about the bind-users
mailing list