dnssec: ds showing hidden 3+ days after key roll
Larry Rosenman
ler at lerctr.org
Thu Feb 10 17:23:04 UTC 2022
On 02/10/2022 10:10 am, Matthijs Mekking wrote:
> Hi,
>
> There are several things wrong here. The gist of it is that there is
> no valid ZSK and since the zone is not properly signed, BIND does not
> want to publish the DS record (even if outside BIND you already
> published the DS).
>
> You can tell that BIND does not agree because it did not publish a CDS
> record in your zone.
>
> I also noticed two different algorithms. I hadn't noticed it before
> but your policy says:
>
> keys {
> ksk lifetime unlimited algorithm 8 2048 ;
> zsk lifetime 30d algorithm 13;
> };
>
> This is a garbage policy because you specify different algorithms for
> the ksk and the zsk. This can never result in a validly signed zone.
>
> Change the algorithm of the keys so that they match.
>
> Perhaps we can add a named-checkconf check for this.
>
>
> Best regards,
>
> Matthijs
>
[snip]
Thanks! Is that little nuance documented? (The need for KSK and ZSK
to be aligned on type of key)
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
More information about the bind-users
mailing list