Hi Adrien,
Without any logs or key **state** files, I can't really tell what is
going on.
My only gut feeling is that you have never signaled BIND 9 that the DS
has been published. You can run 'rndc dnssec -checkds -key 12345
published example.com' or set up parental-agents to do it for you.
Best regards,
Matthijs
On 1/17/23 09:38, adrien sipasseuth wrote:
Hello,
I put the management of DNSSEC with KASP, the zone is well functional.
(dig with "AD" flag etc)
On the other hand, I can't see when the key rollover period for my KSK
is over (2 KSKs with a dig DNSKEY...)
Without KASP, it was easy because I generated the second KSK key but
with KASP, it is managed automatically.
So, I have to adapt my scripts to check that there is :
- a used KSK key and a next KSK key
- Or only one KSK key used (if we are not in rollover phase)
Except that with my current policy, I never see 2 KSKs via a "dig
DNSKEY...".
here is my policy :
dnssec-policy "test" {
keys {
ksk lifetime P7D algorithm ecdsa256;
zsk lifetime P3D algorithm ecdsa256;
};
purge-keys 1d;
publish-safety 3d;
retire-safety 3d;
};
I see either my KSK in use or my next KSK (via "dig DNSKEY...") but
never both at the same time.
Is this a normal behavior or am I doing it wrong?
Regards, Adrien
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
