DNSSEC: Why aren't the old keys going hidden?
Larry Rosenman
ler at lerctr.org
Mon May 2 02:30:48 UTC 2022
On 05/01/2022 8:53 pm, Mark Andrews wrote:
> Why should you want them to go away while you still have DS records
> referencing them?
>
> You also have a CDS record referencing a DNSKEY that dnssec-policy
> doesn’t seem to know about.
>
> sienawx.us. 2892 IN CDS 49366 8 2
> 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED
>
> The DS records need to be removed before the DNSKEYs referencing them
> go. Also does your registrar support CDS/CDNSKEY or do you need to
> manually update the DS records? Based on
> https://support.google.com/domains/answer/6387342?hl=en&ref_topic=9018335
> I’d say no
>
[SNIP]
Thanks, Mark. I've cleaned up the DS records in Google, and fixed the
sienawx.us
CDS issue (it was added by bind at some point, but wasn't in my unsigned
zone,
so I stopped bind, removed the signed version of the zone, and upped the
SOA
serial in the unsigned version to higher than what was in the signed
version,
and restarted bind).
I also didn't realize I needed to do a rndc dnssec -checkds -key <keyid>
withdrawn <domain>.
I did find a manpage bug for the rndc man page for 9.18.2:
dnssec (-status | -rollover -key id [-alg algorithm] [-when time] |
-checkds [-key id [-alg algorithm]] [-when time] published |
withdraw))
zone [class [view]]
s/withdraw/withdrawn/
withdraw garners a syntax error :(
Thanks for the inbound clue-by-four.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
More information about the bind-users
mailing list