On 29-11-2022 00:39, vom513 wrote:
On Nov 28, 2022, at 3:12 PM, vom513 <vom...@gmail.com> wrote:
Thanks for the reply and info…
I would have thought the CDS would be published before the key went
active. I.e. there would be a period of TWO DS’es at the parent
(I’m assuming the parent supports CDS/CDNSKEY which mine
(registrar) does).
This is called Double-DS rollover (RFC 7583, Section 3.3.2). BIND
implements the Double-KSK method (RFC 7583, Section 3.3.1) for
dnssec-policy.
Since the new key goes active, CDS is published, and the old key is
retired at the same time - isn’t this going to cause a (lack of
coverage/chain of trust) problem ? I’m really trying to get to a
point of a “one command” rollover. I.e. no API, no uploading DS,
etc. I guess I’ll see tonight when it happens, but I can’t help
but feel when the clock strikes I’m going to be missing DS for the
new key at the parent.
Sorry to self reply…
So it did “work” as you said Matthijs… I don’t think I necessarily
need those timers (publish/retire-safety) that I tweaked. I’d rather
use as many bind defaults as possible. I think a big part of my
issue was misunderstanding “retired” status. I nuked everything
clean and will try this again once everything settles down. Thanks
for your patience with me and pointers.
The default publish-safety and retire-safety are set to 3600 seconds.
They are meant to delay rollovers to deal with unforeseen events. I
don't think you need to change them unless you have a good reason to do so.
PS: My registrar says they check CDS/CDNSKEY once a day. Do you
think that’s reasonable ? I certainly appreciate them being
cognizant/careful of too much load on their systems with too many
frequent checks, but a day seems long to me...
KSK rollovers are meant to happen infrequently, so once a day seems
reasonable to me.
Note that you would still have to check the parent when the DS has
changed. The DS may be published and withdrawn automatically in the
parent zone if your registar polls the CDS/CDNSKEY, but BIND by default
does not check whether the DS has actually been published.
Either check it manually, or scripted, and use "rndc dnssec -checkds" to
signal BIND that a certain DS has been published or withdrawn.
Or set up a "parental-agents" in your named.conf, that is a server that
BIND will use to query the DS RRset to fully automate the KSK rollover.
Best regards,
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
