BIND-9.16.1 & KASP

Mon Apr 13 12:22:53 UTC 2020

Hi all,

I have been experimenting with BIND-9.16.1 & KASP. So far - it really 
looks great and it should greatly simplify DNSSEC for the masses.

My named.conf entry:-

dnssec-policy "ecdsa256-policy" {
     dnskey-ttl 3600;
     keys {
         ksk lifetime unlimited algorithm ecdsa256;
         zsk lifetime 34d algorithm ecdsa256;
     };
};

zone "smtp.co.za" {
         type master;
         file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";
         key-directory "/etc/ns.d/pri/smtp.co.za/keys";
         dnssec-policy "ecdsa256-policy";
};

My experimental zone (smtp.co.za) is still waiting the initial period of 
(I think) about 25 hours since setup so no CDS records in the zone yet - 
but I do have two new unknown records. From the command:-
dig @localhost smtp.co.za axfr | grep -v RRSIG

smtp.co.za.        1200    IN    SOA    jekyll.smtp.co.za. 
dns-admin.posix.co.za. 2018091104 86400 10800 604800 600
smtp.co.za.        0    IN    TYPE65534 \# 5 0D0D740001
smtp.co.za.        0    IN    TYPE65534 \# 5 0D1BDA0001
smtp.co.za.        3600    IN    DNSKEY    256 3 13 
Rty3kVtsujkbxhKfvVP/xaK2vKetLwBxW9cd0M0GxrpIh8PdvAoTC8us 
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==
smtp.co.za.        3600    IN    DNSKEY    257 3 13 
LlDBhlTpPzo7/8hgaIe8AursP216+EuqYjwO23k8dlmIFqKRUEspMPHP 
jKcqBWrSkoiKbxI2IcbSECynYrehAA==
smtp.co.za.        1200    IN    A    196.43.2.142
...

In my own web management interface, it collects the KSK DNSKEY and 
generates its own CDS - which it then EPP's up to the parent. That all 
got done late last night - so the zone is secure (asking 1.1.1.1 - AD is 
set and correct data returns).

Question - What are the "TYPE65534" records? What are they saying? I am 
using "DiG 9.16.1" so surprised it doesn't know.

My zones '$TTL' is 1200... so I would have thought the CDS record would 
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I 
thought the biggest delay factor is the zones $TTL, often set to one day.

Looks like the SOA Serial Number still needs to be maintained manually. 
Was expecting a more OpenDNSSEC approach. Would love an automated 
YYYYMMDDxx number - date it was last 'modified'. Would be perfect for 
small zones that are rarely updated.

-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200413/d0278512/attachment.htm>