dnssec-policy - KSK rollover
Mark Elkins
mark at posix.co.za
Thu Nov 24 08:56:13 UTC 2022
:-) Will let you know in a year!
ps - please, please keep the CDS's in the child zone - reflecting the
current KSK's! (etc)
On 2022/11/24 09:50, Matthijs Mekking wrote:
> Hi,
>
> I think this should work with some caveats.
>
> First, If you migrate to dnssec-policy (that is the zone is already
> signed), make sure that the key properties match the current DNSKEYs.
>
> Second is about your script:
>
> > If the child looses a CDS record - my external script will remove the
> > corresponding DS record from the parent.
>
> This is true for BIND 9, as it will publish the CDS for as long as the
> DS should be in the parent. But it doesn't have to be the case. The
> RFC (7344) says:
>
> When the Parent DS is in sync with the CDS/CDNSKEY
> RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s);
> the Child can determine if this is the case by querying for DS
> records in the Parent.
>
> Personally I like to keep the CDS in the child zone, so you can see if
> the parent is in sync, that is why I implemented it in BIND 9 to keep
> the CDS.
>
> Best regards,
>
> Matthijs
>
>
> On 23-11-2022 18:24, Mark Elkins via bind-users wrote:
>> Hi people,
>>
>> I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy
>>
>> I have put the following policy in my named.conf file:-
>>
>> dnssec-policy "ecdsa256-policy" {
>> signatures-refresh 5d;
>> signatures-validity 14d;
>> signatures-validity-dnskey 14d;
>> dnskey-ttl 3600;
>> publish-safety 1h;
>> retire-safety 1h;
>> purge-keys 10d;
>>
>> keys {
>> ksk lifetime 370d algorithm ecdsa256; // <---- this part
>> in particular!
>> zsk lifetime 34d algorithm ecdsa256;
>> };
>>
>> zone-propagation-delay 300s;
>> max-zone-ttl 86400s;
>> parent-propagation-delay 1h;
>> parent-ds-ttl 3600;
>> };
>>
>> I also have some external code that goes trawling for CDS records and
>> puts into a parent whatever it finds in the child - that in this case
>> is signed with the above policy stanza.
>>
>> If the child creates a new CDS - my external scripts will find it and
>> pop it into the parent as a DS record.
>> If the child looses a CDS record - my external script will remove the
>> corresponding DS record from the parent.
>> Basically - whatever is in the child as a CDS will be in the parent
>> as a DS.
>> A null CDS removes all DS records - but that's not my question.
>>
>> Is there anything else I need to do? Any additional rndc's ??
>>
>> --
>>
>> Mark James ELKINS - Posix Systems - (South) Africa
>> mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
>>
>>
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>
Posix SystemsVCARD for MJ Elkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221124/7dd68838/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: abessive_logo.jpg
Type: image/jpeg
Size: 6410 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221124/7dd68838/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QR-MJElkins.png
Type: image/png
Size: 2163 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221124/7dd68838/attachment.png>
More information about the bind-users
mailing list