CDNSKEY / CDS for key is now published - but why?

Hi all, yesterday I filled my day fiddling with DNSSEC for a couple of my test domains - both have been signed 'manually' before, but I haven't published the DS record. So yesterday I setup both for dnssec-policy, while also changing the signing algorithm and keys (basically started from sc

Re: CDNSKEY / CDS for key is now published - but why?

Hi Danilo. The CDS and CDNSKEY are published in your own zone, not anywhere else. You can confirm this by doing a dig for them directly, or AXFR if you permit transfers on your server. They are intended for use with registrars that *do* support automatic DS creation using one of them. If yours doe

Re: CDNSKEY / CDS for key is now published - but why?

Hi Danilo, When you enable DNSSEC for the first time, first the DNSKEY and the signatures need to be introduced in the zone, and propagated to the world. The propagation depends on the TTL values, and these are derived from the dnssec-policy configuration. By default it takes more than a day

Re: CDNSKEY / CDS for key is now published - but why?

Hi Greg, thanks for the answer. I knew that CDS and CDNSKEY are just in my own zone and (as far as I understand), serve to inform the parent DNS about (upcoming?) changes in DS / DNSKEY records. I'm not quite sure about establishing the initial trust with the parent, but as our ccTLD parent D

Re: Some Statistics Channel Cache Memory Stats either at 0 or accumulating

On 30. 09. 24 22:35, Jason Creviston wrote: I've noticed TreeMemTotal seems to be ever-increasing, while TreeMemMax and HeapMemMax remain at 0. I didn't find any related fixes in the newer versions of 9.18, 9.20, or 9.21. Just started keeping track of stats via the JSON API. Running BIND 9.18

Re: Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND

On 01. 10. 24 8:15, Terik Erik Ashfolk wrote: Please scratch the below line previous post. Upon detail look, they have Multi-Master support, but not with DNSSEC support. If you really wanted multi-master with DNSSEC you can have a look at FreeIPA.org, their DNS integration has that. It supp

Re: CDNSKEY / CDS for key is now published - but why?

Hi Matthijs, thanks,  that explains a bunch. I checked both domain with '/rndc dnssec -status/' and they do show different states: # rndc dnssec -status psihopat.si dnssec-policy: nsec3_no_rotate current time: Wed Oct 2 14:25:31 2024 key: 37651 (ECDSAP256SHA256), ZSK published: yes

Re: CDNSKEY / CDS for key is now published - but why?

Hi, The change from rumoured to omnipresent is TTL dependent. To be precise: it is the sum of the configured parent-ds-ttl, parent-propagation-delay, and retire-safety. - Matthijs On 10/2/24 14:55, Danilo Godec via bind-users wrote: Hi Matthijs, thanks,  that explains a bunch. I checked