dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

Matthijs Mekking matthijs at isc.org
Thu Aug 11 15:47:40 UTC 2022 

Magnus,

On 11-08-2022 11:26, Magnus Holmgren wrote:
> onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev  Matthijs Mekking:
>> On 10-08-2022 11:13, Magnus Holmgren wrote:
>>> One question: Is it
>>> necessary to use rndc dnssec -checkds or is that only meant as a backup,
>>> and named is supposed to query the parent for DS records automatically?
>>
>> That depends if you have set up parental-agents. If not, then you need
>> to run 'rndc dnssec -checkds'.
> 
> I see. I find the documentation a bit sparse, however. "A parental agent is
> the entity that is allowed to change a zone’s delegation information (defined
> in RFC 7344)."; "Parental Agent: The entity that the Child has a relationship
> with to change its delegation information." So what list of servers is it that
> I'm configuring, exactly? The "hard" part is change the delegation
> information, but that's done through CDS records, which it turns out our
> registrar supports. Verifying that the new DS record is in place should be a
> trivial matter of walking the chain from the root zone, should it not? Should
> I simply list a couple of the respective TLD's name servers? The registrar
> doesn't provide any special server(s) for the purpose, AFAICT.

There are two common scenarios, I think.

First is list all the public parent servers and add those to your 
parental-agents configuration. BIND will only continue the rollover if 
the new DS has been seen at all those servers.

Second is set up a local validating resolver. When the DS is validated 
by the resolver, you can assume it is published correctly in the parent.

> Is the idea that you query the parental agent to see that they've picked up
> the CDS and then you trust that the parent zone will be updated within the
> parent-propagation-delay? That doesn't seem right; you'd want to make sure
> that the new DS is visible to the world, right?

Not really.

BIND will query the parental agent to see if they published the DS 
(corresponding to the CDS, yes). So it knows for sure it is visible to 
the world.

The parent-propagation-delay is a safety delay to ensure that the DS has 
been published to all parent secondaries.


Best regards,

Matthijs

> 
> Thanks,

More information about the bind-users mailing list