[KASP] Key rollover
adrien sipasseuth
sipasseuth.adrien at gmail.com
Mon Feb 13 16:39:22 UTC 2023
Hi,
"You configure parental agents and named will check which DS’s are
published. Named won’t complete the
roll until it knows the new DS is published."
=> what is parental agent ? i don't find this term in Bind documentation.
>From what I understand, you have to specify to Bind that the new DS is
published with the command: rndc dnssec -checkds -key <id new ksk>
published <my-zone>
"If it was me, I'd set the KSK to not roll-over automatically, and
instead create a recurring reminder for yourself to initiate the KSK
roll-over manually? That way you'd never get caught out with a KSK
roll-over happening when you weren't prepared for it? "
=> I don't know if I can get a policy for ZSK and a manual method for KSK.
>From what I understand if I want to use a policy I have to remove
"auto-dnssec maintain;" which is necessary for the manual method right?
In the meantime, I wonder if I can't stay on the manual method even with a
bind 9.18? I read that the auto-dnssec directive might disappear in favor
of dnssec-policy. Does that mean that it might not be possible to do it
manually anymore? source here =>
https://kb.isc.org/v1/docs/dnssec-key-and-signing-policy
Regards,
Adrien
Le jeu. 9 févr. 2023 à 10:35, Mark Andrews <marka at isc.org> a écrit :
> You configure parental agents and named will check which DS’s are
> published. Named won’t complete the
> roll until it knows the new DS is published.
>
> > On 9 Feb 2023, at 19:49, Nick Tait via bind-users <
> bind-users at lists.isc.org> wrote:
> >
> > On 9/02/23 05:17, adrien sipasseuth wrote:
> >> so it works BUT I need to know more than 48h in advance that the
> rollover is starting to submit the new KSK to my registar.
> >>
> >> How can I set this up if it's not with "public-safety"?
> > If it was me, I'd set the KSK to not roll-over automatically, and
> instead create a recurring reminder for yourself to initiate the KSK
> roll-over manually? That way you'd never get caught out with a KSK
> roll-over happening when you weren't prepared for it?
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230213/da159ad7/attachment-0001.htm>
More information about the bind-users
mailing list