Re: Ask for automated KSK roll with DS checking

[Matthijs Mekking]

On 15-04-2021 16:35, Bob Harold wrote:

On Thu, Apr 15, 2021 at 8:50 AM Bob Harold <rharo...@umich.edu 
<mailto:rharo...@umich.edu>> wrote:


    On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking <matth...@isc.org
    <mailto:matth...@isc.org>> wrote:



        On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
         > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
         >> Does anyone have an automated KSK roll process, that checks
        for the DS
         >> record at the parent, that they can share?
         >>
         >> As far as I can tell, the automated signing in BIND will
        roll the KSK if I
         >> set the timing in the policy file, but it won't check the DS
        record, so it
         >> will happily break DNSSEC if some other process does not
        update the DS
         >> record at the right time.  That's too big a risk for me, the
        process needs
         >> to check the DS record before completing the KSK roll. 
        Surely someone has
         >> done this.  I would rather not reinvent the wheel.  But I
        have searched and
         >> not found anything yet.
         >>
         > As I understand it, the way it works now is that the actual
        KSK rollover won't occur until you execute `rndc dnssec -checkds
        ...` [1].

        That is correct.

         > I'm hopeful that named will fully automate this check at some
        point soon.

        It is on the roadmap:

        https://gitlab.isc.org/isc-projects/bind9/-/issues/1126
        <https://gitlab.isc.org/isc-projects/bind9/-/issues/1126>

        - Matthijs


         > [1]
        
<https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
        
<https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>>
         >

    Thank you both very much.  I missed that, and I am testing with the
    RedHat RHEL7 version of BIND 9.11, which does not seem to wait. 
    Looks like I will need to run a newer version of BIND, at least on
    my in-line signing server.

    -- 
    Bob Harold
    University of Michigan


If BIND holds both the child and parent zone, will it add the DS record 
at the correct time?  Or do I still need to write scripts to update the 
DS records in all my sub-zones?  And is there some signal from BIND at 
the time the DS record should be written, or do i need to calculate the 
right time?

Currently you still have to write scripts to update DS records in all 
your parent zones.

The CDS/CDNSKEY records are published in the child zones that indicate 
the DS should be published, so I would script against that.

Then when the DS is seen in the parent, call the rndc dnssec -checkds 
published/withdrawn command.

Best regards,

Matthijs


--
Bob Harold
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users