On 15-04-2021 18:44, Tony Finch wrote:
Matthijs Mekking <matth...@isc.org> wrote:
On 15-04-2021 16:35, Bob Harold wrote:
If BIND holds both the child and parent zone, will it add the DS record
at the correct time? Or do I still need to write scripts to update the
DS records in all my sub-zones? And is there some signal from BIND at
the time the DS record should be written, or do i need to calculate the
right time?
Currently you still have to write scripts to update DS records in all
your parent zones.
The CDS/CDNSKEY records are published in the child zones that indicate
the DS should be published, so I would script against that.
Then when the DS is seen in the parent, call the rndc dnssec -checkds
published/withdrawn command.
dnssec-cds can tell you what the parental DS record(s) should be. It
can maintain a dsset file for each child zone that you can $INCLUDE in the
parent. It's fairly bare so it needs to be wrapped with a script that does
the necessary queries and updates.
I don't know if the dnssec-policy stuff includes timing parameters or
checks to protect against parental publication delays; if not then the
wrapper script will have to keep track of time or poll the parent servers
or something.
It does.
After you have issued the 'rndc dnssec -checkds published' command
(which should be done only if you have seen the DS in the parent), BIND
will wait for 'parent-ds-ttl' plus 'parent-propagation-delay' plus
'retire-safety' before actually considering the DS omnipresent. The DS
needs to be omnipresent before the predecessor DNSKEY may be removed.
The defaults for these values are 1 day, 1 hour, and 1 hour. So after
running the 'rndc dnssec -checkds published' command, by default the
rollover will continue 26 hours later.
You should set these parameters to whatever your parent zone is using.
You should set the 'retire-safety' delay to whatever you feel
comfortable with.
Best regards,
Matthijs
Tony.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
