How to prevent gratuitous publication of CDS/CDNSKEY records
Matthijs Mekking
matthijs at isc.org
Thu Apr 14 12:22:15 UTC 2022
Hi Niall,
On 14-04-2022 13:59, Niall O'Reilly wrote:
> Hi.
>
> Clue needed, please.
>
> I’ve managed to migrate a number of zones from cron-driven signing
> using homegrown scripts to automatic management by named, while
> retaining the respective original KSK for each.
>
> Following migration, ZSK:s have been replaced as might be expected,
> since the keys were shorter than is nowadays recommended.
> The old ZSK files are still lingering in the key-directory.
Keys will be purged after the 'purge-keys' interval, which by default is
90 days after they have been removed from the zone.
> I’m seeing that fresh CDS and CDNSKEY are being generated, and
> wonder why, as the CDS RDATA matches the parent CD RDATA. I’ve
> deleted these using nsupdate, only to find them re-inserted
> some time later.
If you use dnssec-policy, you leave the DNSSEC signing to BIND. It
inserts CDS and CDNSKEY records of the keys that require a DS in the parent.
Note that those records may be removed once the parent has the
corresponding DS published, but these records may also stay in the zone.
BIND chooses to keep them in the zone, so that it is clear which DS is
expected at the parent from the child zone's perspective.
> Could it be significant that the parent DS TTL differs from that
> of the local CDS?
No.
Best regards,
Matthijs
> One of the zones involved is foo.ie.
>
> The server is running BIND 9.16.27-Ubuntu, installed from ppa:isc/bind.
>
> Here below is the relevant dnssec-policy configuration fragment.
>
> |dnssec-policy persistent { // This policy attempts to match or
> accommodate what zonefactory did // and gives keys unrestricted lifetime
> dnskey-ttl 3600; keys { ksk lifetime unlimited algorithm rsasha256; zsk
> lifetime unlimited algorithm rsasha256; }; max-zone-ttl 3600;
> parent-ds-ttl 86400; parent-propagation-delay 48h; publish-safety 7d;
> retire-safety 7d; signatures-refresh 5d; signatures-validity 30d;
> signatures-validity-dnskey 30d; zone-propagation-delay 2h; }; |
>
> Thanks in anticipation.
>
> Niall
>
>
More information about the bind-users
mailing list