dnssec-policy makes BIND touch all key files every hour
Bjørn Mork
bjorn at mork.no
Tue Apr 26 12:25:49 UTC 2022
Matthijs Mekking <matthijs at isc.org> writes:
> What can you do to get it to "omnipresent"? Tell BIND that the DS is
> in the parent (only do so if it is true of course). You can run
>
> rndc dnssec -checkds published your.zone
>
> And it should update the keyfile. You should then see a "DsPublish"
> line in the state file and wait for DS TTL and parent propagation
> delay time to see the state switch to "omnipresent".
>
> If there are multiple keys eligible you need to specify the key id
> with "-key id".
Thanks. Yes, that was the solution.
Pretty obvious now that I know :-) We can view the initial bootstrapping
as "half a KSK rollover".
FWIW, I followed the dnssec-policy migration instructions at
https://kb.isc.org/docs/dnssec-key-and-signing-policy , which also
includes KSK rollover instructions. But I still didn't manage to put
that puzzle together. Maybe you could include an explicit hint for
those of us who are too slow to figure out these things by ourselves?
Bjørn
More information about the bind-users
mailing list