Struggling with dnssec-policy timers

Matthijs Mekking matthijs at isc.org
Tue Nov 29 07:39:24 UTC 2022 


On 29-11-2022 00:39, vom513 wrote:
> 
> 
>> On Nov 28, 2022, at 3:12 PM, vom513 <vom513 at gmail.com> wrote:
>> 
>> Thanks for the reply and info…
>> 
>> I would have thought the CDS would be published before the key went
>> active.  I.e. there would be a period of TWO DS’es at the parent
>> (I’m assuming the parent supports CDS/CDNSKEY which mine
>> (registrar) does).

This is called Double-DS rollover (RFC 7583, Section 3.3.2). BIND 
implements the Double-KSK method (RFC 7583, Section 3.3.1) for 
dnssec-policy.


>> Since the new key goes active, CDS is published, and the old key is
>> retired at the same time - isn’t this going to cause a (lack of
>> coverage/chain of trust) problem ?  I’m really trying to get to a
>> point of a “one command” rollover.  I.e. no API, no uploading DS,
>> etc.  I guess I’ll see tonight when it happens, but I can’t help
>> but feel when the clock strikes I’m going to be missing DS for the
>> new key at the parent.
>> 
> 
> Sorry to self reply…
> 
> So it did “work” as you said Matthijs… I don’t think I necessarily
> need those timers (publish/retire-safety) that I tweaked.  I’d rather
> use as many bind defaults as possible.  I think a big part of my
> issue was misunderstanding “retired” status.  I nuked everything
> clean and will try this again once everything settles down.  Thanks
> for your patience with me and pointers.

The default publish-safety and retire-safety are set to 3600 seconds.
They are meant to delay rollovers to deal with unforeseen events. I
don't think you need to change them unless you have a good reason to do so.


> PS: My registrar says they check CDS/CDNSKEY once a day.  Do you
> think that’s reasonable ?  I certainly appreciate them being
> cognizant/careful of too much load on their systems with too many
> frequent checks, but a day seems long to me...

KSK rollovers are meant to happen infrequently, so once a day seems
reasonable to me.

Note that you would still have to check the parent when the DS has
changed. The DS may be published and withdrawn automatically in the
parent zone if your registar polls the CDS/CDNSKEY, but BIND by default
does not check whether the DS has actually been published.

Either check it manually, or scripted, and use "rndc dnssec -checkds" to
signal BIND that a certain DS has been published or withdrawn.

Or set up a "parental-agents" in your named.conf, that is a server that
BIND will use to query the DS RRset to fully automate the KSK rollover.


Best regards,

Matthijs

More information about the bind-users mailing list