DNSSEC questions
Alessandro Vesely
vesely at tana.it
Wed Oct 27 10:54:45 UTC 2021
Hi all,
I recently installed version 9.16, and have a number of doubts. During the
upgrade, named didn't want to load signed zones because of CDS/CDNSKEY
inconsistency. There were CDS records in the zone files, which I removed.
I also switched to dnssec-policy. Somewhere I read that I should have defined
a policy with keys matching the existing keys. I also defined a "combined"
key. Now I have two DS, two CDS, and two CDNSKEY RRs. I attach a picture of a
zone and paste the policy below.
The questions:
1. Now, how do I get rid of the extra ksk and zsk? Is it enough to remove them
from the policy?
2. I have double CDS/CDNSKEY records, but they're not in the zone files. Do I
have to run rndc dnssec -checkds to remove them?
3. The server produces new .signed and .signed.jnl files every day, which is
inconvenient as the zone files directory is checked by tripwire. Is that
timing determined by the dnskey-ttl? Would it be okay to set it to one month?
4. Is rndc managed-keys status supposed to display anything meaningful, given
my setup? It talks about a non-existing key id. The sync option produces no
output at all. How do I know the overall dnssec status?
Here's my policy setting:
dnssec-policy "explicit" {
// Keys
keys {
ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk key-directory lifetime unlimited algorithm rsasha256 2048;
csk key-directory lifetime unlimited algorithm rsasha256 2048;
};
nsec3param iterations 1 optout false salt-length 16;
// Key timings
dnskey-ttl 86400;
publish-safety P3W;
retire-safety P3W;
purge-keys P1Y;
// Signature timings
signatures-refresh P2M;
signatures-validity P6M;
signatures-validity-dnskey P6M;
// Zone parameters
max-zone-ttl 86400;
zone-propagation-delay PT1H;
// Parent parameters
parent-ds-ttl 86400;
parent-propagation-delay PT1H;
};
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tana.it-byDNSviz.png
Type: image/png
Size: 18997 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211027/2cfe3945/attachment-0001.png>
More information about the bind-users
mailing list