dnssec-policy makes BIND touch all key files every hour
Matthijs Mekking
matthijs at isc.org
Tue Apr 26 13:09:13 UTC 2022
On 26-04-2022 14:25, Bjørn Mork wrote:
> Matthijs Mekking <matthijs at isc.org> writes:
>
>> What can you do to get it to "omnipresent"? Tell BIND that the DS is
>> in the parent (only do so if it is true of course). You can run
>>
>> rndc dnssec -checkds published your.zone
>>
>> And it should update the keyfile. You should then see a "DsPublish"
>> line in the state file and wait for DS TTL and parent propagation
>> delay time to see the state switch to "omnipresent".
>>
>> If there are multiple keys eligible you need to specify the key id
>> with "-key id".
>
> Thanks. Yes, that was the solution.
Glad to hear that worked.
> Pretty obvious now that I know :-) We can view the initial bootstrapping
> as "half a KSK rollover".
>
> FWIW, I followed the dnssec-policy migration instructions at
> https://kb.isc.org/docs/dnssec-key-and-signing-policy , which also
> includes KSK rollover instructions. But I still didn't manage to put
> that puzzle together. Maybe you could include an explicit hint for
> those of us who are too slow to figure out these things by ourselves?
Makes sense to me. I have added a note at the end of the "Key states"
section.
Best regards, Matthijs
More information about the bind-users
mailing list