Hi, for a second day, I am scratching my head over (automatic) publishing CDS/CDNSKEY records. When I read Matthijs Mekkings KB article at https://kb.isc.org/docs/dnssec-key-and-signing-policy, I wanted to try dnssec-policy. Up until now, I successfully was using inline-signing with auto-dnssec.
I configured my dnssec-policy to match the current key setting, but I probably made a mistake and it did not match it, so a new key was generated. No big deal, it's a test domain, rollover is not a problem. Since my TLD supports CDNSKEY, I want to leverage it. So I removed current DS record from the domain and expected Bind to publish CDS/CDNSKEY ( https://bind9.readthedocs.io/en/latest/dnssec-guide.html#the-cds-and-cdnskey-resource-records). Unfortunately I can not get bind to automatically publish them. No clue why. I kind of expected bind to publish them on PublishCDS: 20210811135045 (Wed Aug 11 15:50:45 2021) automatically. domain: irmorava.cz version: BIND 9.16.19 OS: CentOS 8 Stream + packages from copr. named.conf: dnssec-policy "pepa" { keys { csk key-directory lifetime unlimited algorithm 13; }; // Key timings dnskey-ttl PT1H; publish-safety PT1H; retire-safety PT1H; purge-keys P1D; // Signature timings signatures-refresh P5D; signatures-validity P14D; signatures-validity-dnskey P14D; // Zone parameters max-zone-ttl PT1H; zone-propagation-delay PT5M; parent-ds-ttl PT1H; parent-propagation-delay PT1H; nsec3param iterations 1 optout false salt-length 16; }; zone "irmorava.cz" { type master; file "master/irmorava.cz.zone"; allow-update { none; }; key-directory "keys/irmorava.cz"; dnssec-policy pepa; notify yes; allow-transfer { pepa_abc; }; }; dig irmorava.cz @127.0.0.1 DNSKEY +short +norec 257 3 13 Xsfq5rEgoE+iT+cvq0OZz43MiLiRLeH8SUAEIprn0/J3PNZSYVlCeNuF 5lfNo6uM0TeApujDhmQ1FPNINKxa2Q== rndc dnssec -status irmorava.cz dnssec-policy: pepa current time: Thu Aug 12 08:38:40 2021 key: 22788 (ECDSAP256SHA256), CSK published: yes - since Wed Aug 11 10:20:00 2021 key signing: yes - since Wed Aug 11 10:20:00 2021 zone signing: yes - since Wed Aug 11 12:25:00 2021 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: hidden - zone rrsig: rumoured - key rrsig: omnipresent key: 44055 (ECDSAP256SHA256), CSK published: no key signing: no zone signing: no Key has been removed from the zone - goal: hidden - dnskey: hidden - ds: hidden - zone rrsig: unretentive - key rrsig: hidden key: 35549 (ECDSAP256SHA256), CSK published: no key signing: no zone signing: no Key has been removed from the zone - goal: hidden - dnskey: hidden - ds: hidden - zone rrsig: hidden - key rrsig: hidden /var/named/keys/irmorava.cz/Kirmorava.cz.+013+22788.state: ; This is the state of key 22788, for irmorava.cz. Algorithm: 13 Length: 256 Lifetime: 0 Predecessor: 44055 KSK: yes ZSK: yes Generated: 20210811082000 (Wed Aug 11 10:20:00 2021) Published: 20210811082000 (Wed Aug 11 10:20:00 2021) Active: 20210811102500 (Wed Aug 11 12:25:00 2021) DSPublish: 20210811131037 (Wed Aug 11 15:10:37 2021) DSRemoved: 20210811131020 (Wed Aug 11 15:10:20 2021) *PublishCDS: 20210811135045 (Wed Aug 11 15:50:45 2021)*DNSKEYChange: 20210811102500 (Wed Aug 11 12:25:00 2021) ZRRSIGChange: 20210811082000 (Wed Aug 11 10:20:00 2021) KRRSIGChange: 20210811102500 (Wed Aug 11 12:25:00 2021) DSChange: 20210811082000 (Wed Aug 11 10:20:00 2021) DNSKEYState: omnipresent ZRRSIGState: rumoured KRRSIGState: omnipresent DSState: hidden GoalState: omnipresent As you can see, I rolled over 2 more keys, but the desired records were not published. Yesterday I tried manually 'dnssec-settime -P sync now Kirmorava.cz.+013+22788.key'. I have waited as I read here https://lists.isc.org/pipermail/bind-users/2020-April/102903.html but still no luck. I am sure I am missing something stupidly simple. Could someone please give me any hint? Or are 'parental-agents' required to be configured? Does not seem right way to me. Josef
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users