dnssec-policy: Old DNSKEYs still in zone despite status showing hidden
Magnus Holmgren
magnus.holmgren at millnet.se
Fri Aug 12 13:59:41 UTC 2022
torsdag 11 augusti 2022 kl. 17:47:40 CEST skrev Matthijs Mekking:
> Magnus,
>
> On 11-08-2022 11:26, Magnus Holmgren wrote:
> > onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking:
> >> On 10-08-2022 11:13, Magnus Holmgren wrote:
> >>> One question: Is it
> >>> necessary to use rndc dnssec -checkds or is that only meant as a backup,
> >>> and named is supposed to query the parent for DS records automatically?
> >>
> >> That depends if you have set up parental-agents. If not, then you need
> >> to run 'rndc dnssec -checkds'.
> >
> > I see. I find the documentation a bit sparse, however. "A parental agent
> > is
> > the entity that is allowed to change a zone’s delegation information
> > (defined in RFC 7344)."; "Parental Agent: The entity that the Child has a
> > relationship with to change its delegation information." So what list of
> > servers is it that I'm configuring, exactly? The "hard" part is change
> > the delegation information, but that's done through CDS records, which it
> > turns out our registrar supports. Verifying that the new DS record is in
> > place should be a trivial matter of walking the chain from the root zone,
> > should it not? Should I simply list a couple of the respective TLD's name
> > servers? The registrar doesn't provide any special server(s) for the
> > purpose, AFAICT.
>
> There are two common scenarios, I think.
>
> First is list all the public parent servers and add those to your
> parental-agents configuration. BIND will only continue the rollover if
> the new DS has been seen at all those servers.
>
> Second is set up a local validating resolver. When the DS is validated
> by the resolver, you can assume it is published correctly in the parent.
I see you suggested multiple methods in https://gitlab.isc.org/isc-projects/
bind9/-/issues/1126, with "Automatic, by walking the parents" as the default,
and an option check-ds, but nothing came of that?
IIUC, I have to list IP addresses of parental agents; strings are interpreted
as references to other parental-agents lists. But keeping the lists of IP
addresses of the TLDs' name servers up to date manually is not sustainable, so
I guess I'll just point to our recursing nameserver.
Regards,
--
Magnus Holmgren, developer
MILLNET AB, Datalinjen 1, 583 30 Linköping
More information about the bind-users
mailing list