Hey again! On 03.03.25 3:18 PM, Matthijs Mekking wrote: > Hi Bernd, > > Sorry for taking a long time to answer these questions: >
No worries I had/have not time pressure. >> 1) Timing Options: >> >> I didn't grasped yet all the defaults and their calculated interaction >> when I let `bind9` manage the signing keys for a zone, which in the end >> is just follows an RFC, if I'm right? I would like to "replicate" those >> timers manually. I hope I can answer this all by myself. However, the >> second question: > > Correct. > I did not yet checked the actual timers used by BIND, but I think I rather "see the bigger deployment picture" now; See next comment. >> >> 2) Security Lameness >> Is it neutral or bad or even good, that I publish 2 DS RR in the parent >> zone, but using only 1 to sign my zone? > > This happens anyway during a Double-DS rollover scheme, so I don't think > it is bad practice. A resolver may have to do a bit more work, but > negligible in my opinion. > Exactly. I realized, while reading the BCP DNSSEC OP2 and Timers up and down, I never payed attention to the conclusion and the end of each rfc, which was kind of stupid, because many answers are given there, but not at the actual section within the rfc :/ How ever, at the end most if not any of my questions got answered. *yes*: * There is no "issue" with /non-active keys/ and their `DS RR` in the parent zone (as you confirmed to me, too) * There is only a /size restraint/ to consider, that not to many keys can fit into a single UDP response. Btw, I would really like to see some actual examples in the BIND ARM DNSSEC GUIDE. * In one of two RFC there was even the argument, that if the operator publishes, together with the active key, the successor key right away, and kept that successor key offline, the operator gets an okish enough standby key for free. I have not yet checked or calculated of 3 keys with current recommendations fit, or if not, then if 3 keys using EC would fit. Personally I would rather go with 3 keys. One active, one successor, and one standby. And I still have to check out 9.20! Thanks again for your time and help Matthijs! Best, Bernd
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
