Thanks,
so patience is really the name of the game here. )
One more question, if I may - I noticed that the serial number in signed
zone gets 'out-of-sync' compared to my source text zone file. I guess
that happens when Bind publishes CDS / CDNSKEY records etc.
Is the serial number in my source text zone file still relevant? If it
is, I suppose increasing it by one is no longer good enough - I probably
need to check the actual SOA and then use that as 'base' and increase
that by 1, right?
Regards,
Danilo
On 2. 10. 24 15:13, Matthijs Mekking wrote:
Hi,
The change from rumoured to omnipresent is TTL dependent. To be
precise: it is the sum of the configured parent-ds-ttl,
parent-propagation-delay, and retire-safety.
- Matthijs
On 10/2/24 14:55, Danilo Godec via bind-users wrote:
Hi Matthijs,
thanks, that explains a bunch.
I checked both domain with '/rndc dnssec -status/' and they do show
different states:
# rndc dnssec -status psihopat.si
dnssec-policy: nsec3_no_rotate
current time: Wed Oct 2 14:25:31 2024
key: 37651 (ECDSAP256SHA256), ZSK
published: yes - since Tue Oct 1 20:23:24 2024
zone signing: yes - since Tue Oct 1 20:23:24 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
*- zone rrsig: rumoured*
key: 7162 (ECDSAP256SHA256), KSK
published: yes - since Tue Oct 1 20:23:24 2024
key signing: yes - since Tue Oct 1 20:23:24 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
*- ds: hidden*
- key rrsig: omnipresent
# rndc dnssec -status sociopat.si
dnssec-policy: nsec3_no_rotate
current time: Wed Oct 2 14:25:34 2024
key: 17354 (ECDSAP256SHA256), ZSK
published: yes - since Tue Oct 1 10:09:53 2024
zone signing: yes - since Tue Oct 1 10:09:53 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 61220 (ECDSAP256SHA256), KSK
published: yes - since Tue Oct 1 10:09:53 2024
key signing: yes - since Tue Oct 1 10:09:53 2024
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
*- ds: rumoured*
- key rrsig: omnipresent
So I ran /rndc dnssec -checkds published**/for both zones:
# rndc dnssec -checkds published sociopat.si
Marked DS as published since 02-Oct-2024 14:33:33.000
# rndc dnssec -checkds published legenda.si
Marked DS as published since 02-Oct-2024 14:33:47.000
That changed KSK DS state from *hidden* to *rumoured* for
psihopat.si, but made no change to sociopat.si.
Should the change be immediate or is it also TTL dependent?
Regards,
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
