dnssec: ds showing hidden 3+ days after key roll
Matthijs Mekking
matthijs at isc.org
Fri Feb 11 08:59:28 UTC 2022
Hi Larry,
This is documented in the DNSSEC RFCs, but AFAICS it is not mentioned in
our documentation. I created a merge request to add such a note in the
appropriate places:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5823
Best regards,
Matthijs
On 10-02-2022 18:23, Larry Rosenman wrote:
> On 02/10/2022 10:10 am, Matthijs Mekking wrote:
>> Hi,
>>
>> There are several things wrong here. The gist of it is that there is
>> no valid ZSK and since the zone is not properly signed, BIND does not
>> want to publish the DS record (even if outside BIND you already
>> published the DS).
>>
>> You can tell that BIND does not agree because it did not publish a CDS
>> record in your zone.
>>
>> I also noticed two different algorithms. I hadn't noticed it before
>> but your policy says:
>>
>> keys {
>> ksk lifetime unlimited algorithm 8 2048 ;
>> zsk lifetime 30d algorithm 13;
>> };
>>
>> This is a garbage policy because you specify different algorithms for
>> the ksk and the zsk. This can never result in a validly signed zone.
>>
>> Change the algorithm of the keys so that they match.
>>
>> Perhaps we can add a named-checkconf check for this.
>>
>>
>> Best regards,
>>
>> Matthijs
>>
> [snip]
>
> Thanks! Is that little nuance documented? (The need for KSK and ZSK
> to be aligned on type of key)
>
More information about the bind-users
mailing list