Hi Danilo.
The CDS and CDNSKEY are published in your own zone, not anywhere else. You
can confirm this by doing a dig for them directly, or AXFR if you permit
transfers on your server.
They are intended for use with registrars that *do* support automatic DS
creation using one of them. If yours doesn't and you already published your
DS in the parent, then no big deal. The CDS and CDNSKEY will just sit in
your zone and you don't have to do anything with them.
Does that help?
Cheers, Greg
On Wed, 2 Oct 2024 at 10:58, Danilo Godec via bind-users <
bind-users@lists.isc.org> wrote:
> Hi all,
>
> yesterday I filled my day fiddling with DNSSEC for a couple of my test
> domains - both have been signed 'manually' before, but I haven't published
> the DS record.
>
>
> So yesterday I setup both for dnssec-policy, while also changing the
> signing algorithm and keys (basically started from scratch):
>
> dnssec-policy "nsec3_no_rotate" {
> keys {
> ksk key-directory lifetime unlimited algorithm 13;
> zsk key-directory lifetime unlimited algorithm 13;
> };
> nsec3param iterations 0 optout false;
> };
>
> ...
>
> zone "sociopat.si" {
> type master;
> file "master/Danci/sociopat.si.hosts";
> key-directory "master/Danci/keys";
> dnssec-policy "nsec3_no_rotate";
> inline-signing yes;
> };
>
> zone "psihopat.si" {
> type master;
> file "master/Danci/psihopat.si.hosts";
> key-directory "master/Danci/keys";
> dnssec-policy "nsec3_no_rotate";
> inline-signing yes;
> };
> ...
>
>
> I published DS records through my registrar and after a couple of hours
> all seemed fine - both Verisign dnssec-analyzer and DNSViz show no errors
> or warnings for them.
>
>
> However, today bind logged this:
>
> named[17379]: general: info: CDNSKEY for key
> sociopat.si/ECDSAP256SHA256/61220 is now published
> named[17379]: general: info: CDS for key sociopat.si/ECDSAP256SHA256/61220 is
> now published
>
>
> I'm pretty sure this is not bad or wrong, but I would like to sort-of
> understand, why Bind decided it needs to publish CDS / CDNSKEY for this one
> and not the other one, given that DS records are published in ccTLDs:
>
> # dig ds sociopat.si
> ;; QUESTION SECTION:
> ;sociopat.si. IN DS
>
> ;; ANSWER SECTION:sociopat.si. 5826 IN DS 61220 13 2
> D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730 616F92AD
>
>
> # dig ds psihopat.si
>
> ;; QUESTION SECTION:
> ;psihopat.si. IN DS
>
> ;; ANSWER SECTION:psihopat.si. 7200 IN DS 7162 13 2
> 3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F 90F21CD8
>
>
>
> Also, as far as I know, .si DNS servers don't support CDS / CDNSKEY, so
> publishing them might be futile.
>
>
> Regards,
>
> Danilo
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
