Hi Larry,
This is documented in the DNSSEC RFCs, but AFAICS it is not mentioned in
our documentation. I created a merge request to add such a note in the
appropriate places:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5823
Best regards,
Matthijs
On 10-02-2022 18:23, Larry Rosenman wrote:
On 02/10/2022 10:10 am, Matthijs Mekking wrote:
Hi,
There are several things wrong here. The gist of it is that there is
no valid ZSK and since the zone is not properly signed, BIND does not
want to publish the DS record (even if outside BIND you already
published the DS).
You can tell that BIND does not agree because it did not publish a CDS
record in your zone.
I also noticed two different algorithms. I hadn't noticed it before
but your policy says:
keys {
ksk lifetime unlimited algorithm 8 2048 ;
zsk lifetime 30d algorithm 13;
};
This is a garbage policy because you specify different algorithms for
the ksk and the zsk. This can never result in a validly signed zone.
Change the algorithm of the keys so that they match.
Perhaps we can add a named-checkconf check for this.
Best regards,
Matthijs
[snip]
Thanks! Is that little nuance documented? (The need for KSK and ZSK
to be aligned on type of key)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
