DNSSEC questions
Alessandro Vesely
vesely at tana.it
Wed Oct 27 16:48:25 UTC 2021
Hi Matthijs,
thanks for clarifications.
On Wed 27/Oct/2021 17:53:46 +0200 Matthijs Mekking wrote:
> On 27-10-2021 12:54, Alessandro Vesely wrote:
>>
>> I also switched to dnssec-policy. Somewhere I read that I should have
>> defined a policy with keys matching the existing keys. I also defined a
>> "combined" key. Now I have two DS, two CDS, and two CDNSKEY RRs. I attach a
>> picture of a zone and paste the policy below.
>
> Adding the combined key to the policy means you did not create a policy that
> matched the existing keys. BIND notices that you want three keys, you only have
> two, so it creates the CSK.
Yup, the intention was (and still is) to migrate to CSK, as it's simpler,
without breaking existing status. So now I need to get rid of the old keys.
>> 1. Now, how do I get rid of the extra ksk and zsk? Is it enough to remove
>> them from the policy?
>
> You can remove them from the policy yes, but make sure the migration is
> complete. You can check with "rndc dnssec -status <zone>" and make sure that
> your key states are in "omnipresent".
Thanks, that's what I was looking for. I have to check all zones (and two
views each). I'll write a script for that.
>> 2. I have double CDS/CDNSKEY records, but they're not in the zone files. Do
>> I have to run rndc dnssec -checkds to remove them?
>
> That's because you added the additional CSK to the policy. It is probably best
> to remove it again from the policy and only change the policy if the migration
> is complete.
Right. So the script must also check that the new keys have a parental DS.
>> 3. The server produces new .signed and .signed.jnl files every day, which is
>> inconvenient as the zone files directory is checked by tripwire. Is that
>> timing determined by the dnskey-ttl? Would it be okay to set it to one month?
>
> The zone is signed if a signature is about to expire. It is not determined by
> dnskey-ttl. I would exclude these files from tripwire because they need to
> written out anyway.
Then, why does it have to rewrite it every day, if the zone didn't change?
dnskey-ttl is the only one-day timing thing, except parent-ds-ttl.
BTW, DS RR has a ttl of 10800 at the parent; should I copy that to
parent-ds-ttl in my policy definition? What for?
>> 4. Is rndc managed-keys status supposed to display anything meaningful, given
>> my setup? It talks about a non-existing key id. The sync option produces no
>> output at all. How do I know the overall dnssec status?
>
> "rndc managed-keys status" is for trust anchors, use "rndc dnssec -status
> <zone>" instead.
OK. Thanks again,
Ale
--
More information about the bind-users
mailing list