Hi, I am curently testing a dnssec setup with the new dnssec-keymgr tool. I created a test zone with very fast key rollover setings and very short TTLs. (Configs below)
The automated creation of keys seems to work fine but bind behaves other than I would have expected. - Initial deployment looks fine with the current ZSK published and in use. (http://dnsviz.net/d/testmichhartundwild.de/V4ep6A/dnssec/) - At prepublication time the next key is published but not yet used (as expected. (http://dnsviz.net/d/testmichhartundwild.de/V4fV_A/dnssec/) - After rollover time the new key is used to sign the zone EXCEPT the SOA record. This one is still signed by the old key. (http://dnsviz.net/d/testmichhartundwild.de/V4fyNQ/dnssec/) - When post-publication of the old key expires it is removed and the new key is used for all records. (http://dnsviz.net/d/testmichhartundwild.de/V4gSGg/dnssec/) I am confused becaus of the special treatment of the SOA record. I would expect a complete switch to the new key. At the moment, cached responses of the SOA record could not be verified in the timeframe between deletion of the old key and the next TTL. Am I missing something? Regards, Nis ---- dnssec-keymgr policy: zone testmichhartundwild.de { algorithm RSASHA256; directory "/etc/bind/zones/keys"; coverage 2d; keyttl 600; roll-period zsk 8h; post-publish zsk 2h; pre-publish zsk 2h; }; bind zone config: zone "testmichhartundwild.de" IN { type master; file "de/testmichhartundwild.de/zone.db"; // Allow zone transfers to trusted servers allow-transfer { myServers; localhost; }; // Allow updates with shared key update-policy { grant morpheus-trinity. zonesub any; }; serial-update-method unixtime; // Activate dnssec for this domain key-directory "keys"; auto-dnssec maintain; }; _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
