opendnssec -> inline-signing

Mark Andrews marka at isc.org
Fri Mar 8 00:30:35 UTC 2024 

Please read https://kb.isc.org/docs/dnssec-key-and-signing-policy especially
the steps to do when migrating to using dnssec-policy with an existing signed
zone.

Start with "lifetime unlimited”.  Tell named which keys have DS already published
using rndc.  You can also use dnssec-settime to do this.  Once your existing keys
are omnipresent you can update the lifetime to what you want to run with.


On 8 Mar 2024, at 10:57, Mark Andrews <marka at isc.org> wrote:
> 
> 
> 
>> On 8 Mar 2024, at 10:54, Randy Bush <randy at psg.com> wrote:
>> 
>>> You DS and DNSKEY rrset are not matched.  You
>>> need to publish the DS for the DNSKEY with key
>>> tag 3463.
>>> 
>>> rg.net. 86256 IN DS 12391 8 2 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9
>>> 
>>> rg.net. 3463 IN DNSKEY 256 3 8 (
>>> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV
>>> OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd
>>> tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB
>>> KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2
>>> y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid
>>> bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0
>>> ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad
>>> kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8=
>>> ) ; ZSK; alg = RSASHA256 ; key id = 43431
>>> rg.net. 3463 IN DNSKEY 257 3 8 (
>>> AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa
>>> 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU
>>> dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p
>>> g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko
>>> 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05
>>> 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag
>>> 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b
>>> s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs=
>>> ) ; KSK; alg = RSASHA256 ; key id = 30790
>>> rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 (
>>> 20240321203948 20240307193948 30790 rg.net.
>>> OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l
>>> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4
>>> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl
>>> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD
>>> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts
>>> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd
>>> liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ
>>> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== )
>>> 
>>>> https://git.rg.net/randy/randy/src/master/scratch.md
>> 
>> yes, we can see that, as we noted.  and yes we could rekey 42 zones at
>> the parents; great fun.
>> 
>> but WHY NOT?  same key sets with opendnssec and inline-signing, we
>> think.
>> 
>> randy
> 
> I can’t get to https://git.rg.net/randy/randy/src/master/scratch.md
> without installing a negative trust anchor or you fixing/removing the DS.  
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list