dnssec-policy: Old DNSKEYs still in zone despite status showing hidden
Magnus Holmgren
magnus.holmgren at millnet.se
Thu Aug 11 09:26:57 UTC 2022
onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking:
> On 10-08-2022 11:13, Magnus Holmgren wrote:
> > One question: Is it
> > necessary to use rndc dnssec -checkds or is that only meant as a backup,
> > and named is supposed to query the parent for DS records automatically?
>
> That depends if you have set up parental-agents. If not, then you need
> to run 'rndc dnssec -checkds'.
I see. I find the documentation a bit sparse, however. "A parental agent is
the entity that is allowed to change a zone’s delegation information (defined
in RFC 7344)."; "Parental Agent: The entity that the Child has a relationship
with to change its delegation information." So what list of servers is it that
I'm configuring, exactly? The "hard" part is change the delegation
information, but that's done through CDS records, which it turns out our
registrar supports. Verifying that the new DS record is in place should be a
trivial matter of walking the chain from the root zone, should it not? Should
I simply list a couple of the respective TLD's name servers? The registrar
doesn't provide any special server(s) for the purpose, AFAICT.
Is the idea that you query the parental agent to see that they've picked up
the CDS and then you trust that the parent zone will be updated within the
parent-propagation-delay? That doesn't seem right; you'd want to make sure
that the new DS is visible to the world, right?
Thanks,
--
Magnus Holmgren, developer
MILLNET AB, Datalinjen 1, 583 30 Linköping
More information about the bind-users
mailing list