CDNSKEY / CDS for key is now published - but why?

Wed, 02 Oct 2024 02:59:08 -0700 

Hi all,
yesterday I filled my day fiddling with DNSSEC for a couple of my test domains - both have been signed 'manually' before, but I haven't published the DS record. 



So yesterday I setup both for dnssec-policy, while also changing the 
signing algorithm and keys (basically started from scratch):


dnssec-policy "nsec3_no_rotate" {
        keys {
                ksk key-directory lifetime unlimited algorithm 13;
                zsk key-directory lifetime unlimited algorithm 13;
        };
        nsec3param iterations 0 optout false;
};

...

        zone "sociopat.si" {
                type master;
                file "master/Danci/sociopat.si.hosts";
                key-directory "master/Danci/keys";
                dnssec-policy "nsec3_no_rotate";
                inline-signing yes;
        };

        zone "psihopat.si" {
                type master;
                file "master/Danci/psihopat.si.hosts";
                key-directory "master/Danci/keys";
                dnssec-policy "nsec3_no_rotate";
                inline-signing yes;
        };
...



I published DS records through my registrar and after a couple of hours 
all seemed fine - both Verisign dnssec-analyzer and DNSViz show no 
errors or warnings for them.



However, today bind logged this:

named[17379]: general: info: CDNSKEY for key sociopat.si/ECDSAP256SHA256/61220 
is now published
named[17379]: general: info: CDS for key sociopat.si/ECDSAP256SHA256/61220 is 
now published



I'm pretty sure this is not bad or wrong, but I would like to sort-of 
understand, why Bind decided it needs to publish CDS / CDNSKEY for this 
one and not the other one, given that DS records are published in ccTLDs:


# dig ds sociopat.si
;; QUESTION SECTION:
;sociopat.si.                   IN      DS

;; ANSWER SECTION:
sociopat.si.            5826    IN      DS      61220 13 2 
D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730 616F92AD


# dig ds psihopat.si

;; QUESTION SECTION:
;psihopat.si.                   IN      DS

;; ANSWER SECTION:
psihopat.si.            7200    IN      DS      7162 13 2 
3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F 90F21CD8



Also, as far as I know, .si DNS servers don't support CDS / CDNSKEY, so 
publishing them might be futile.



  Regards,

   Danilo


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to