dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)
Sebastian Wiesinger
sebastian at karotte.org
Fri Jun 2 12:28:14 UTC 2023
* Matthijs Mekking <matthijs at isc.org> [2023-06-02 14:10]:
> Did you wait until the migration was complete? Everything needs to be
> omnipresent after the migration before you can making DNSSEC policy changes
> safely.
Well there was no easy way to tell if migration was complete, there
were no indications if the DS hidden status would change or not.
> I noticed:
>
> > - ds: hidden
>
> This means that from BIND's perspective the DS has not been published. Most
> likely because the other keys were not fully omnipresent yet.
All the keys and the DS were published for years. I don't know why
BIND assumed this wasn't the case.
> If the DS is not published yet, or at least the migration has not reached
> this state yet, you can do anything with the DNSSEC records, because of the
> absence of a secure delegation
Well I configured an parental-agent so BIND would've been free to
check for the DS record whenever convenient in the process.
Best Regards
Sebastian
--
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the bind-users
mailing list