[KASP] Key rollover
Matthijs Mekking
matthijs at isc.org
Thu Jan 19 08:12:34 UTC 2023
Hi Adrien,
Without any logs or key **state** files, I can't really tell what is
going on.
My only gut feeling is that you have never signaled BIND 9 that the DS
has been published. You can run 'rndc dnssec -checkds -key 12345
published example.com' or set up parental-agents to do it for you.
Best regards,
Matthijs
On 1/17/23 09:38, adrien sipasseuth wrote:
> Hello,
>
> I put the management of DNSSEC with KASP, the zone is well functional.
> (dig with "AD" flag etc)
>
> On the other hand, I can't see when the key rollover period for my KSK
> is over (2 KSKs with a dig DNSKEY...)
>
> Without KASP, it was easy because I generated the second KSK key but
> with KASP, it is managed automatically.
>
> So, I have to adapt my scripts to check that there is :
> - a used KSK key and a next KSK key
> - Or only one KSK key used (if we are not in rollover phase)
>
> Except that with my current policy, I never see 2 KSKs via a "dig
> DNSKEY...".
> here is my policy :
>
> dnssec-policy "test" {
> keys {
> ksk lifetime P7D algorithm ecdsa256;
> zsk lifetime P3D algorithm ecdsa256;
> };
> purge-keys 1d;
> publish-safety 3d;
> retire-safety 3d;
> };
>
> I see either my KSK in use or my next KSK (via "dig DNSKEY...") but
> never both at the same time.
>
> Is this a normal behavior or am I doing it wrong?
>
> Regards, Adrien
>
More information about the bind-users
mailing list