Ask for automated KSK roll with DS checking

Matthijs Mekking matthijs at isc.org
Thu Apr 15 14:59:37 UTC 2021 


On 15-04-2021 16:35, Bob Harold wrote:
> 
> On Thu, Apr 15, 2021 at 8:50 AM Bob Harold <rharolde at umich.edu 
> <mailto:rharolde at umich.edu>> wrote:
> 
> 
>     On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matthijs at isc.org
>     <mailto:matthijs at isc.org>> wrote:
> 
> 
> 
>         On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
>          > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>          >> Does anyone have an automated KSK roll process, that checks
>         for the DS
>          >> record at the parent, that they can share?
>          >>
>          >> As far as I can tell, the automated signing in BIND will
>         roll the KSK if I
>          >> set the timing in the policy file, but it won't check the DS
>         record, so it
>          >> will happily break DNSSEC if some other process does not
>         update the DS
>          >> record at the right time.  That's too big a risk for me, the
>         process needs
>          >> to check the DS record before completing the KSK roll. 
>         Surely someone has
>          >> done this.  I would rather not reinvent the wheel.  But I
>         have searched and
>          >> not found anything yet.
>          >>
>          > As I understand it, the way it works now is that the actual
>         KSK rollover won't occur until you execute `rndc dnssec -checkds
>         ...` [1].
> 
>         That is correct.
> 
>          > I'm hopeful that named will fully automate this check at some
>         point soon.
> 
>         It is on the roadmap:
> 
>         https://gitlab.isc.org/isc-projects/bind9/-/issues/1126
>         <https://gitlab.isc.org/isc-projects/bind9/-/issues/1126>
> 
>         - Matthijs
> 
> 
>          > [1]
>         <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>         <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>>
>          >
> 
>     Thank you both very much.  I missed that, and I am testing with the
>     RedHat RHEL7 version of BIND 9.11, which does not seem to wait. 
>     Looks like I will need to run a newer version of BIND, at least on
>     my in-line signing server.
> 
>     -- 
>     Bob Harold
>     University of Michigan
> 
> 
> If BIND holds both the child and parent zone, will it add the DS record 
> at the correct time?  Or do I still need to write scripts to update the 
> DS records in all my sub-zones?  And is there some signal from BIND at 
> the time the DS record should be written, or do i need to calculate the 
> right time?

Currently you still have to write scripts to update DS records in all 
your parent zones.

The CDS/CDNSKEY records are published in the child zones that indicate 
the DS should be published, so I would script against that.

Then when the DS is seen in the parent, call the rndc dnssec -checkds 
published/withdrawn command.

Best regards,

Matthijs


> -- 
> Bob Harold

More information about the bind-users mailing list