Hi,
On 16-08-2021 04:28, raf via bind-users wrote:
On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <b...@raf.org> wrote:
...
So it's looking good and I'm happy now. But how long
after the zone has been signed can I expect to see
CDS/CDNSKEY RRs appear? Why aren't they created at
the same time as the DNSKEY RRs? I assume there's
a good reason but I can't think what it is.
First the RRsets with signatures need to be in the zone long enough that
any cached unsigned RRsets in resolver's caches have expired.
If you call 'rndc dnssec -status <zone>' you might see that the "zone
rrsigs" are still in the "rumoured" state. Once they are omnipresent,
the DS may be submitted and that is the time when the corresponding
CDS/CDNSKEY records will be published.
Also, please document the dangers of putting a
dnssec-policy usage directive in the options {} stanza
(unless something signficant has changed since version
9.16.15, and bind now knows not to sign zones that
really shouldn't be signed locally - but even if that's
the case, you could document what version that changed in).
That's a good addition. There are a bunch of other suggestions to
improve the documentation that I am planning to make and I'll add this
suggestion to the list. Thanks.
Thanks again for making DNSSEC so easy to implement
(as long as you avoid classic rookie errors). :-)
Thanks for trying it out and reporting back, this way we can improve it
even more.
Best regards,
Matthijs
cheers,
raf
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
