On 15-04-2021 16:35, Bob Harold wrote:
On Thu, Apr 15, 2021 at 8:50 AM Bob Harold <rharo...@umich.edu <mailto:rharo...@umich.edu>> wrote:On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matth...@isc.org <mailto:matth...@isc.org>> wrote: On 14-04-2021 22:30, Greg Rivers via bind-users wrote: > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote: >> Does anyone have an automated KSK roll process, that checks for the DS >> record at the parent, that they can share? >> >> As far as I can tell, the automated signing in BIND will roll the KSK if I >> set the timing in the policy file, but it won't check the DS record, so it >> will happily break DNSSEC if some other process does not update the DS >> record at the right time. That's too big a risk for me, the process needs>> to check the DS record before completing the KSK roll. Surely someone has>> done this. I would rather not reinvent the wheel. But I have searched and >> not found anything yet. >> > As I understand it, the way it works now is that the actual KSK rollover won't occur until you execute `rndc dnssec -checkds ...` [1]. That is correct. > I'm hopeful that named will fully automate this check at some point soon. It is on the roadmap: https://gitlab.isc.org/isc-projects/bind9/-/issues/1126 <https://gitlab.isc.org/isc-projects/bind9/-/issues/1126> - Matthijs > [1] <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2 <https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>> > Thank you both very much. I missed that, and I am testing with theRedHat RHEL7 version of BIND 9.11, which does not seem to wait. Looks like I will need to run a newer version of BIND, at least onmy in-line signing server.-- Bob HaroldUniversity of MichiganIf BIND holds both the child and parent zone, will it add the DS record at the correct time? Or do I still need to write scripts to update the DS records in all my sub-zones? And is there some signal from BIND at the time the DS record should be written, or do i need to calculate the right time?
Currently you still have to write scripts to update DS records in all your parent zones.
The CDS/CDNSKEY records are published in the child zones that indicate the DS should be published, so I would script against that.
Then when the DS is seen in the parent, call the rndc dnssec -checkds published/withdrawn command.
Best regards, Matthijs
-- Bob Harold
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
