On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matth...@isc.org> wrote:
> > > On 14-04-2021 22:30, Greg Rivers via bind-users wrote: > > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: > >> Does anyone have an automated KSK roll process, that checks for the DS > >> record at the parent, that they can share? > >> > >> As far as I can tell, the automated signing in BIND will roll the KSK > if I > >> set the timing in the policy file, but it won't check the DS record, so > it > >> will happily break DNSSEC if some other process does not update the DS > >> record at the right time. That's too big a risk for me, the process > needs > >> to check the DS record before completing the KSK roll. Surely someone > has > >> done this. I would rather not reinvent the wheel. But I have searched > and > >> not found anything yet. > >> > > As I understand it, the way it works now is that the actual KSK rollover > won't occur until you execute `rndc dnssec -checkds ...` [1]. > > That is correct. > > > I'm hopeful that named will fully automate this check at some point soon. > > It is on the roadmap: > > https://gitlab.isc.org/isc-projects/bind9/-/issues/1126 > > - Matthijs > > > > [1] < > https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2 > > > > > > Thank you both very much. I missed that, and I am testing with the RedHat RHEL7 version of BIND 9.11, which does not seem to wait. Looks like I will need to run a newer version of BIND, at least on my in-line signing server. -- Bob Harold University of Michigan
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
