dnssec-policy - KSK rollover

Matthijs Mekking matthijs at isc.org
Thu Nov 24 07:50:36 UTC 2022 

Hi,

I think this should work with some caveats.

First, If you migrate to dnssec-policy (that is the zone is already 
signed), make sure that the key properties match the current DNSKEYs.

Second is about your script:

 > If the child looses a CDS record - my external script will remove the
 > corresponding DS record from the parent.

This is true for BIND 9, as it will publish the CDS for as long as the 
DS should be in the parent. But it doesn't have to be the case. The RFC 
(7344) says:

    When the Parent DS is in sync with the CDS/CDNSKEY
    RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s);
    the Child can determine if this is the case by querying for DS
    records in the Parent.

Personally I like to keep the CDS in the child zone, so you can see if 
the parent is in sync, that is why I implemented it in BIND 9 to keep 
the CDS.

Best regards,

Matthijs


On 23-11-2022 18:24, Mark Elkins via bind-users wrote:
> Hi people,
> 
> I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy
> 
> I have put the following policy in my named.conf file:-
> 
> dnssec-policy "ecdsa256-policy" {
>      signatures-refresh 5d;
>      signatures-validity 14d;
>      signatures-validity-dnskey 14d;
>      dnskey-ttl 3600;
>      publish-safety 1h;
>      retire-safety 1h;
>      purge-keys 10d;
> 
>      keys {
>          ksk lifetime 370d algorithm ecdsa256;   // <---- this part in 
> particular!
>          zsk lifetime 34d algorithm ecdsa256;
>      };
> 
>      zone-propagation-delay 300s;
>      max-zone-ttl 86400s;
>      parent-propagation-delay 1h;
>      parent-ds-ttl 3600;
> };
> 
> I also have some external code that goes trawling for CDS records and 
> puts into a parent whatever it finds in the child - that in this case is 
> signed with the above policy stanza.
> 
> If the child creates a new CDS - my external scripts will find it and 
> pop it into the parent as a DS record.
> If the child looses a CDS record - my external script will remove the 
> corresponding DS record from the parent.
> Basically - whatever is in the child as a CDS will be in the parent as a DS.
> A null CDS removes all DS records - but that's not my question.
> 
> Is there anything else I need to do? Any additional rndc's ??
> 
> -- 
> 
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>
> 
>

More information about the bind-users mailing list