Ask for automated KSK roll with DS checking
Greg Rivers
gcr+bind-users at tharned.org
Wed Apr 14 20:30:45 UTC 2021
On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
> Does anyone have an automated KSK roll process, that checks for the DS
> record at the parent, that they can share?
>
> As far as I can tell, the automated signing in BIND will roll the KSK if I
> set the timing in the policy file, but it won't check the DS record, so it
> will happily break DNSSEC if some other process does not update the DS
> record at the right time. That's too big a risk for me, the process needs
> to check the DS record before completing the KSK roll. Surely someone has
> done this. I would rather not reinvent the wheel. But I have searched and
> not found anything yet.
>
As I understand it, the way it works now is that the actual KSK rollover won't occur until you execute `rndc dnssec -checkds ...` [1].
I'm hopeful that named will fully automate this check at some point soon.
[1] <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>
--
Greg
More information about the bind-users
mailing list