Hi dear knot users,
Back again with a yet another question on the same subject. Hopefully
this time the last one...
We are a sub domain: sub.company.com, and in order to eanble DNSSEC, I
need to enable DNSSEC on our knot zone sub.company.com, and send the DS
key to company.com DNS admins for publication in the parent.
My goal is to minimize the time between enabling DNSSEC and having our
DS key published in the parent zone.
As it turns out, is it incredibly difficult for company.com DNS admins
to schedule a date/time to do this 'in sync' with us.
The parent zone is now asking me to simply enable DNSSEC, and send them
the DS keys. They will then submit a support request for that already
active DS key to be published into the company.com DNS.
Thing is: They are not sure how quickly that support request would be
processed. So we could potentially face a significant amount of time
(hours, days) of running knot with DNSSEC, without the DS key publised
at the parent.
(so basically: a broken chain of trust situation)
My question: How disastrous (if at all) would that be? What consequences
(if any) to expect?
Or is there perhaps another approach at this that we fail to see?
(other than asking company.com to change their dns hosting)
(I was thinking perhaps: quickly enable dnssec, take note of the
generated DS key, disable dnssec again, sent the DS key to parent, wait
for it to become published, and then re-enable dnssec on knot)
Enjoy your weekends everybody!
MJ
Op 31-08-2021 om 12:04 schreef mj:
ok, good to know!
Thanks (again!) for the quick reply!
MJ
Op 31-08-2021 om 12:01 schreef Daniel Salzman:
Hi,
The extra white space is just a redundant separation of a long hex
string. You can ignore it.
Daniel
On 8/31/21 11:49 AM, mj wrote:
Hi,
We have a (hopefully last) follow-up question on the knot-generated
dnssec keys for our domain.
Our policy is is set to algorithm: ECDSAP256SHA256. Upon knot start,
knot generates the key:
knotd[25835]: info: [company.com.] DNSSEC, key, tag 54011, algorithm
ECDSAP256SHA256, KSK, public, ready, active+
knotd[25835]: info: [company.com.] DNSSEC, key, tag 49404, algorithm
ECDSAP256SHA256, public, active
knotd[25835]: info: [company.com.] DNSSEC, signing started
Then we query the DS key to be published, the result is:
keymgr company.com ds
company.com. DS 54011 13 2
f0892debae240caa01827becdd3d3cb0ef2512f5691ca525895777571a67e680
company.com. DS 54011 13 4
462211ea3e8d3ea19a2ae803b926af8df851369527879911318f59ff72973a72452e3f29265c339c6a61537a778c43da
Now the question. In most (if not all?) docs we read on the subject,
the DS key looks something like:
knot-dns.cz. 3600 IN DS 54959 13 2
268DE6EB7E0630953B8AF0F0037BF68FD10443BF01B5E17805AF94C2 6921897D
or
dnssec-tools.org. 21600 IN DS 9638 13 2
92551AA25C4ADE8E2882FBF4BEB5B54F9D84379B153848852B68BB3C 793F4B0B
note the spaces at the end of the key string.
Our knot-generated DS key does not have a space in it.
Is something wrong? Do we need to add a space somewhere, or..?
Thanks again in advance for providing insight :-)
MJ
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users
