On 29. 05. 24 11:31, adrien sipasseuth wrote:
Only if KSK has DSState: rumoured. If the DSState is hidden it means
that it is not expected to be in the parent (for example because the
DNSKEY has not yet been fully propagated).
> Do you need to withdraw the old key too immediatly ? anything else to
do ?
>>> Do you mean withdraw the old DS?
Yes, the old DS should be not yet withdraw because some RRSIG could be
still valid ? or can i withdraw the old DS / KSK immediatly ?
In my logic :
For each file en .state
If is KSK with "DSState: rumoured" or "DSState: hidden"
If not in my registar (dig ds <my_zone> +dnssec +multiline)
Publish on my Registar(api register)
Notify Bind(bind rndc dnssec -checkds -key <New ID KSK>
published <my_zone>)
Notify Bind(bind rndc dnssec -checkds -key <Old ID KSK>
withdraw <my_zone>)
In my understanding, i shouldn't do "Notify Bind(bind rndc dnssec
-checkds -key <Old ID KSK> withdraw <my_zone>)" and wait until all RRSIG
sign (with the old KSK) expire. In that case, how can i check this ?
(some dig command ? or check state file for "DSState: unretentive" ?)
I think the best approach is to enable "checkds" feature and leave it up
to BIND to decide when it's safe to do next state transition. There
should not be a need to do the rndc magic.
See
https://bind9.readthedocs.io/en/latest/reference.html#automated-ksk-rollovers
and also
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-parental-agents
I hope it helps.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
