BIND-9.16.1 & KASP

Mon, 13 Apr 2020 05:25:03 -0700 

Hi all,
I have been experimenting with BIND-9.16.1 & KASP. So far - it really looks great and it should greatly simplify DNSSEC for the masses. 

My named.conf entry:-

dnssec-policy "ecdsa256-policy" {
    dnskey-ttl 3600;
    keys {
        ksk lifetime unlimited algorithm ecdsa256;
        zsk lifetime 34d algorithm ecdsa256;
    };
};

zone "smtp.co.za" {
        type master;
        file "/etc/ns.d/pri/smtp.co.za/db.smtp.co.za";
        key-directory "/etc/ns.d/pri/smtp.co.za/keys";
        dnssec-policy "ecdsa256-policy";
};


My experimental zone (smtp.co.za) is still waiting the initial period of 
(I think) about 25 hours since setup so no CDS records in the zone yet - 
but I do have two new unknown records. From the command:-

dig @localhost smtp.co.za axfr | grep -v RRSIG


smtp.co.za.        1200    IN    SOA    jekyll.smtp.co.za. 
dns-admin.posix.co.za. 2018091104 86400 10800 604800 600

smtp.co.za.        0    IN    TYPE65534 \# 5 0D0D740001
smtp.co.za.        0    IN    TYPE65534 \# 5 0D1BDA0001

smtp.co.za.        3600    IN    DNSKEY    256 3 13 
Rty3kVtsujkbxhKfvVP/xaK2vKetLwBxW9cd0M0GxrpIh8PdvAoTC8us 
pgljMfMC5PIfNeLp+ZZKH0D0nJVSGg==
smtp.co.za.        3600    IN    DNSKEY    257 3 13 
LlDBhlTpPzo7/8hgaIe8AursP216+EuqYjwO23k8dlmIFqKRUEspMPHP 
jKcqBWrSkoiKbxI2IcbSECynYrehAA==

smtp.co.za.        1200    IN    A    196.43.2.142
...


In my own web management interface, it collects the KSK DNSKEY and 
generates its own CDS - which it then EPP's up to the parent. That all 
got done late last night - so the zone is secure (asking 1.1.1.1 - AD is 
set and correct data returns).



Question - What are the "TYPE65534" records? What are they saying? I am 
using "DiG 9.16.1" so surprised it doesn't know.



My zones '$TTL' is 1200... so I would have thought the CDS record would 
have appeared by now.
I "signed" the zone at Apr 12 21:27 +02:00 and its now 16 hours later. I 
thought the biggest delay factor is the zones $TTL, often set to one day.



Looks like the SOA Serial Number still needs to be maintained manually. 
Was expecting a more OpenDNSSEC approach. Would love an automated 
YYYYMMDDxx number - date it was last 'modified'. Would be perfect for 
small zones that are rarely updated.


--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to