In message <CABUciRnyNVAMGU=0a6bqnubyst2yec6s9a2gnpbqm9pnrvb...@mail.gmail.com> , Alexander Gurvitz writes: > > > > > > That paragraph from 4.1.4 is just plain wrong and following it will > > lead to cached data that can't be validated once retrieved. > > > > Lets say that all data in the zone has a TTL of 3600. > > > > At T - 3500 you have retrieved the DNSKEY while validating a MX RRset. > > At T - 100 you lookup a A record and validate it with the previously > > validated > > DNSKEY RRset. > > At T you update the zone's contents as per above. > > At T + 100 the DNSKEY RRset expires from the cache. > > At T + 200 a validating stub resolver looks up the A record and gets > > RRSIG(KEY1). It then does a DNSKEY retrieval and only gets KEY2. > > > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > At T+200 resolver will get RRSIG(KEY2). But your idea stands, the last > sentence should read something like this: > "One replaces the DNSKEY_S_1 signatures with signatures > made with DNSKEY_S_2 AND, AFTER OLD RRSIG EXPIRE FROM CACHES, > REMOVES DNSKEY_S_1." > > The scenario wil be: > 1. DNSKEY#1 + RRSIGS#1 + DS#1 (initial state) > 2. DNSKEY#1, DNSKEY#2 + RRSIGS(DNKSEY)#1,#2 + RRSIGS(ZONE)#2 + DS#1 (add > new DNSKEY, sign DNSKEYs with both DNSKEYs, sign zone with new DNSKEY only > (remove old RRSIGs)) > 3. (wait DNSKEY propagation delay) > 4. DNSKEY#1, DNSKEY#2 + RRSIGS(DNKSEY)#1,#2 + RRSIGS(ZONE)#2 + DS#2 > (change DS#1 to DS#2) > 5. (wait DS propagation delay + RRSIG propagation delay since step 2) > 6. DNSKEY#2 + RRSIGS#2 + DS#2 (remove DNSKEY#1, and the corresponding > DNSKEY signatures) > > Anyhow, my question was if that would be possible to achieve with BIND. > > Alex
We don't have a dnskey only flag though you can do what you want with dnssec-signzone then post process the zone to remove the necessary signatures. You can do single signature key roll over with named and with named-signzone. * Publish the new DNSKEY. Add DS for it. * Wait for DS RRset to time out of caches. * Activate the new DNSKEY, deactivate the old DNSKEY and bump the serial. This will result in the DNSKEY and SOA being signed with the new key. - If you are using dnssec-signzone the entire zone will be signed with the new key. You can remove the old signatures if you want with dnssec-sign zone. - If you are doing this with named as the signatures fall due for re-signing they will be done with the new key and the old signatures will be removed. This takes most of the sig-validity-interval to happen. You can also force the zone to be re-signed using rndc. * You can un-publish the old key once the last old signature has expired from caches. * You can remove old DS after waiting DNSKEY TTL after deactivating the old KEY. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
