Fully automated DNSSEC with BIND 9.16
Matthijs Mekking
matthijs at isc.org
Tue Apr 11 10:15:58 UTC 2023
Hello David,
On 4/11/23 12:02, David Carvalho via bind-users wrote:
> Hello, hope everyone is fine.
>
> So it seems that going to Bind version 9.16 was the right call as it
> simplifies DNSSEC a lot.
>
> Nevertheless, I would like to clarify some things because our
> organization has a parent domain and I host my own e-mail servers. I
> know they had problems while implementing DNSSEC on the top domain, and
> some configurations had to be made to let subdomain e-mail servers to
> still work after DNSSEC.
>
> Following RedHat tutorial, all I had to do was add “*dnssec-policy
> default;”* into one of my zones for testing purposes. I’m not testing
> Reverse zones yet.
>
> After this, 3 files “Kmy.domain***” were created:
>
> “.key”
>
> “.private”
>
> “.state”.
>
> Three files regarding my zone were also created:
>
> My.domain.signed
>
> And the following 2, which I’m not sure what their purpose is
>
> *My.domain*.*jbk* and*my.domain.signed.jnl*
The .jnl files are journal files and are created when a zone uses
dynamic update to store changes that are made to zone files.
The .jbk files are truly temporary files and should be removed again
when writing the contents of the zone to file.
> There are also “managed-keys.bind” and “managed-keys.bind.jnl”
These are trust anchor files, and store the state of those keys. These
will be updated on a restart.
>
> My questions:
>
> 1. Everytime I restart the service, it seems all these files are
> recreated. Does this mean that every time I make a change in the
> host zone, I need resend the public key to my top domain?
No, the key files (.key, .private, .state) should also not be recreated
upon restart (a bug that would recreate key files every keymgr run was
fixed in 9.16.30).
> 2. Do Parental Agents help with this?
Not in this case, because there is no need to send the public key to the
parent domain. Parental agents only help to automatically detect if the
corresponding DS has been published.
Without parental agents configured you need to use 'rndc dnssec
-checkds' to tell BIND that a certain DS has been published/withdrawn in
order to continue key rollover.
> 3. Which format should I use when providing the key to the top level
> domain?
>
> * dnssec-dsfromkey /var/named/K/example.com.+013+61141/.key*
>
> or
>
> * grep DNSKEY /var/named/K*/*example.com.+013+61141.key*/
I assume you are submitting the public key to your registrar and it
depends on what format your registrar accepts.
Best regards,
Matthijs
More information about the bind-users
mailing list