dnssec-policy - CSK rollover help
vom513
vom513 at gmail.com
Sat Nov 19 23:50:58 UTC 2022
Hello,
So I reconfigured one of my domains to use dnssec-policy. I’m using the policy “default” + I’ve only added nsec3 stuff. All other timers / params are from default. Working fine / as expected.
Luckily for me this is a domain that I don’t use much. So outages and mistakes are easily tolerable.
After a bumpy start, I have the zone “happy” - that is, fully signed, DS in parent, and all timers reading “omnipresent”.
I’m trying to use this ISC KB as a guide: https://kb.isc.org/docs/dnssec-key-and-signing-policy
So I decided to try a rollover. So I did: rndc dnssec -rollover -key 12345 -when 20221122230000 example.com <http://example.com/>
This now shows up as scheduled in rndc dnssec -status.
However, I expected BIND to create a successor CSK. Nothing in the key dir, nothing in logs, nothing in rndc status.
The whole point of course is to have two “overlapping” keys, two DS’es, i.e. two chains of trust. And then when everything is happy timer-wise, the old key (and DS) can go away.
Is BIND going to do this sometime before the actual rollover ? Or is there something else I need to do ? Speaking of this - what exactly happens at the rollover time ?
Thanks.
More information about the bind-users
mailing list