Hi Greg,

thanks for the answer.
I knew that CDS and CDNSKEY are just in my own zone and (as far as I 
understand), serve to inform the parent DNS about (upcoming?) changes in 
DS / DNSKEY records. I'm not quite sure about establishing the initial 
trust with the parent, but as our ccTLD parent DNS doesn't support CDS / 
CDNSKEY it's not a big deal anyway.

What I don't understand is why Bind published CDS / CDNSKEY just for one of two very similar domains? Initially I thought that Bind checks the DS on the parent and only publishes CDS / CDNSKEY if DS doesn't exist or is in some way different.


   Regards,

    Danilo



On 2. 10. 24 12:19, Greg Choules wrote:
Hi Danilo.
The CDS and CDNSKEY are published in your own zone, not anywhere else. You can confirm this by doing a dig for them directly, or AXFR if you permit transfers on your server.
They are intended for use with registrars that *do* support automatic 
DS creation using one of them. If yours doesn't and you already 
published your DS in the parent, then no big deal. The CDS and CDNSKEY 
will just sit in your zone and you don't have to do anything with them.
Does that help?
Cheers, Greg

On Wed, 2 Oct 2024 at 10:58, Danilo Godec via bind-users <bind-users@lists.isc.org> wrote:
    Hi all,

    yesterday I filled my day fiddling with DNSSEC for a couple of my
    test domains - both have been signed 'manually' before, but I
    haven't published the DS record.


    So yesterday I setup both for dnssec-policy, while also changing
    the signing algorithm and keys (basically started from scratch):

    dnssec-policy "nsec3_no_rotate" {
             keys {
                     ksk key-directory lifetime unlimited algorithm 13;
                     zsk key-directory lifetime unlimited algorithm 13;
             };
             nsec3param iterations 0 optout false;
    };

    ...

             zone "sociopat.si  <http://sociopat.si>" {
                     type master;
                     file "master/Danci/sociopat.si.hosts";
                     key-directory "master/Danci/keys";
                     dnssec-policy "nsec3_no_rotate";
                     inline-signing yes;
             };

             zone "psihopat.si  <http://psihopat.si>" {
                     type master;
                     file "master/Danci/psihopat.si.hosts";
                     key-directory "master/Danci/keys";
                     dnssec-policy "nsec3_no_rotate";
                     inline-signing yes;
             };
    ...


    I published DS records through my registrar and after a couple of
    hours all seemed fine - both Verisign dnssec-analyzer and DNSViz
    show no errors or warnings for them.


    However, today bind logged this:

    named[17379]: general: info: CDNSKEY for keysociopat.si/ECDSAP256SHA256/61220  
<http://sociopat.si/ECDSAP256SHA256/61220>  is now published
    named[17379]: general: info: CDS for keysociopat.si/ECDSAP256SHA256/61220  
<http://sociopat.si/ECDSAP256SHA256/61220>  is now published


    I'm pretty sure this is not bad or wrong, but I would like to
    sort-of understand, why Bind decided it needs to publish CDS /
    CDNSKEY for this one and not the other one, given that DS records
    are published in ccTLDs:

    # dig dssociopat.si  <http://sociopat.si>
    ;; QUESTION SECTION:
    ;sociopat.si  <http://sociopat.si>.                   IN      DS

    ;; ANSWER SECTION:
    sociopat.si  <http://sociopat.si>.            5826    IN      DS      61220 
13 2 D8C1553B3D6BCF7A704A3D821069F57B6946DCA1D198D303E3B4C730 616F92AD


    # dig dspsihopat.si  <http://psihopat.si>

    ;; QUESTION SECTION:
    ;psihopat.si  <http://psihopat.si>.                   IN      DS

    ;; ANSWER SECTION:
    psihopat.si  <http://psihopat.si>.            7200    IN      DS      7162 
13 2 3C5A5625F848DBCF99A0B85017AFE04FD1F681037B61BE970D57AE9F 90F21CD8


    Also, as far as I know, .si DNS servers don't support CDS /
    CDNSKEY, so publishing them might be futile.


      Regards,

       Danilo


-- Visit https://lists.isc.org/mailman/listinfo/bind-users to
    unsubscribe from this list

    ISC funds the development of this software with paid support
    subscriptions. Contact us at https://www.isc.org/contact/ for more
    information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users


Lep pozdrav / Best regards,
--
Danilo Godec | Sistemska podpora / System Administration
AGENDA d.o.o. | Ul. Pohorskega bataljona 49, Sl-2000 Maribor
E: danilo.go...@agenda.si | T: +386 (0)2 421 61 31
Agenda OpenSystems <https://www.agenda.si/> | Največji slovenski odprtokodni integrator Red Hat v Sloveniji <http://www.redhat.si/> | Red Hat Premier Business Partner
ElasticBox <http://elasticbox.eu/> | Poslovne rešitve v oblaku
Agenda d.o.o. <https://www.agenda.si/>
Izjava o omejitvi odgovornosti / Legal disclaimer statement <https://www.agenda.si/index.php?id=228>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to