new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
Matthijs Mekking
matthijs at isc.org
Fri Oct 14 14:38:10 UTC 2022
Which parental-agent to use is up to you. Something you trust.
You can also configure multiple, if so then all parental agents will
perform the DS check and only if all parental agents agree (have seen
the DS), BIND will set the DS as "seen published in the parent" and the
rollover will continue.
Best regards,
Matthijs
On 14-10-2022 16:33, PGNet Dev wrote:
>> This is a log level bug. This log happens when BIND want to check the
>> parental-agents if the DS has been published. But if you don't have
>> parental-agents set up, the list of keys to check will be empty. Hence
>> the "not found" result.
>>
>> Thanks for reporting, this will be fixed in the next release, it
>> should be a debug log level.
>
> +1 o/
>
> i'd completely missed 'parental-agents' :-/
>
> sounds like i likely *should* have it setup in any case; esp if using
> dnssec-policy key rollovers (i am)
>
> reading
>
> https://bind9.readthedocs.io/en/latest/chapter5.html?highlight=parental-agents#key-rollover
>
> i get the part it plays
>
> unclear though which specific server one should use; in the example txt,
>
> "Here one server, 192.0.2.1, is configured for BIND to send DS
> queries to, to check the DS RRset for dnssec-example during key
> rollovers. This needs to be a trusted server, because BIND does not
> validate the response."
>
> atm, my registrar/TLD don't support CDS/CDNSKEY (for .com, in this case)
>
> so my DS RECORD gets manually entered @ registrar's web portal.
>
> then, record propagates to roots, which -- eventually -- return
> RRSIG/RRSET data on queries.
>
> for rollover mgmt, what server should be set as parental-agent?
> my registrar's?
> a root?
> something 'big', like cloudflare/1.1.1.1 ?
> other?
More information about the bind-users
mailing list