On Mon, Feb 01, 2021 at 12:09:38PM +0000, pat...@patpro.net wrote:
> I do run BIND 9.16.x and I've just read a few things about
> dnssec-keymgr and dnssec-policy.conf that I need to dig in
> (https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named).
Good luck, feel free to post your experiences, or just email me
off list, if you prefer. I'd like hear you find BIND 9.16 for
algorithm rollover.
> > And before you decide its all fixed for a few years, implement
> > *monitoring*. Unmonitored security is an oxymoron.
>
> If I understand correctly CDNSKEY/CDS records allows full automation
> without requiring manually sending public keys to my registrar, is
> that correct?
In practice, mostly no. Very few registries or registrars support CDS.
BIND will publish the CDS records for you, in the hope that this will
some day actually be useful, but for now you'll almost certainly have to
manually fill in the appropriate form at your registrar. Do ask them
whether they support CDS/CDNSKEY, and if not when...
--
Viktor.
