Hi,

I think this should work with some caveats.

First, If you migrate to dnssec-policy (that is the zone is already signed), make sure that the key properties match the current DNSKEYs.

Second is about your script:

> If the child looses a CDS record - my external script will remove the
> corresponding DS record from the parent.

This is true for BIND 9, as it will publish the CDS for as long as the DS should be in the parent. But it doesn't have to be the case. The RFC (7344) says:

   When the Parent DS is in sync with the CDS/CDNSKEY
   RRset(s), the Child DNS Operator MAY delete the CDS/CDNSKEY RRset(s);
   the Child can determine if this is the case by querying for DS
   records in the Parent.

Personally I like to keep the CDS in the child zone, so you can see if the parent is in sync, that is why I implemented it in BIND 9 to keep the CDS.

Best regards,

Matthijs


On 23-11-2022 18:24, Mark Elkins via bind-users wrote:
Hi people,

I have read https://kb.isc.org/docs/dnssec-key-and-signing-policy

I have put the following policy in my named.conf file:-

dnssec-policy "ecdsa256-policy" {
     signatures-refresh 5d;
     signatures-validity 14d;
     signatures-validity-dnskey 14d;
     dnskey-ttl 3600;
     publish-safety 1h;
     retire-safety 1h;
     purge-keys 10d;

     keys {
        ksk lifetime 370d algorithm ecdsa256;   // <---- this part in particular!
         zsk lifetime 34d algorithm ecdsa256;
     };

     zone-propagation-delay 300s;
     max-zone-ttl 86400s;
     parent-propagation-delay 1h;
     parent-ds-ttl 3600;
};

I also have some external code that goes trawling for CDS records and puts into a parent whatever it finds in the child - that in this case is signed with the above policy stanza.

If the child creates a new CDS - my external scripts will find it and pop it into the parent as a DS record. If the child looses a CDS record - my external script will remove the corresponding DS record from the parent.
Basically - whatever is in the child as a CDS will be in the parent as a DS.
A null CDS removes all DS records - but that's not my question.

Is there anything else I need to do? Any additional rndc's ??

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.826010496 <tel:+27826010496>


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to