FW: Bind9.11: dnssec inline signing, cds records and catalog zones
Philippe Maechler
pmaechler-ml at glattnet.ch
Fri Dec 21 15:22:06 UTC 2018
Hi Daniel
Thanks for your answer.
It's your "fault" that I'm doing dnssec stuff and posting here, I saw your speech at SwiNOG 😊
>If your keys have appropriate timing metadata, then the CDS/CDNSKEY
>records are published for your zones automatically:
>
>See man dnssec-keygen
>...
>Timing options:
> -P date/[+-]offset/none: set key publication date (default: now)
> -P sync date/[+-]offset/none: set CDS and CDNSKEY publication date
> -A date/[+-]offset/none: set key activation date (default: now)
> -R date/[+-]offset/none: set key revocation date
> -I date/[+-]offset/none: set key inactivation date
> -D date/[+-]offset/none: set key deletion date
> -D sync date/[+-]offset/none: set CDS and CDNSKEY deletion date
>
>or man dnssec-settime
>
>> And every time I create or activate new keys, I have to manually add the
>> CDS records, right?
>
>Not if your keys have the appropriate timing metadata.
Ok, I'll definitely have to re-read the dnssec-keygen and -settime manpages and playing around.
The keys I generated (with the -a -b and -3 option provided) I don't see a CDS or CDNSKEY in the signed file. I probably have to use the -Psync <date> option
Best regards and "schöne Festtage"
Philippe
More information about the bind-users
mailing list