Re: debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes
On 16-08-2021 11:22, raf via bind-users wrote: On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking wrote: Hi, On 16-08-2021 04:28, raf via bind-users wrote: On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote: ... So it's looking good and I'm happy now. But how long after the zone has been signed can I expect to see CDS/CDNSKEY RRs appear? Why aren't they created at the same time as the DNSKEY RRs? I assume there's a good reason but I can't think what it is. First the RRsets with signatures need to be in the zone long enough that any cached unsigned RRsets in resolver's caches have expired. If you call 'rndc dnssec -status ' you might see that the "zone rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS may be submitted and that is the time when the corresponding CDS/CDNSKEY records will be published. Thanks! That makes much sense. I was thinking that it would be OK to publish the DS sooner when the zone is signed for the first time. But I get it. I'll trust bind's sense of timing and be patient. :-) It is 99% of the time, but there will be corner cases (and dragons). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes
On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking wrote: > Hi, > > On 16-08-2021 04:28, raf via bind-users wrote: > > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote: > ... > > > > So it's looking good and I'm happy now. But how long > > after the zone has been signed can I expect to see > > CDS/CDNSKEY RRs appear? Why aren't they created at > > the same time as the DNSKEY RRs? I assume there's > > a good reason but I can't think what it is. > > First the RRsets with signatures need to be in the zone long enough that any > cached unsigned RRsets in resolver's caches have expired. > > If you call 'rndc dnssec -status ' you might see that the "zone > rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS > may be submitted and that is the time when the corresponding CDS/CDNSKEY > records will be published. Thanks! That makes much sense. I was thinking that it would be OK to publish the DS sooner when the zone is signed for the first time. But I get it. I'll trust bind's sense of timing and be patient. :-) cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes
Hi, On 16-08-2021 04:28, raf via bind-users wrote: On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf wrote: ... So it's looking good and I'm happy now. But how long after the zone has been signed can I expect to see CDS/CDNSKEY RRs appear? Why aren't they created at the same time as the DNSKEY RRs? I assume there's a good reason but I can't think what it is. First the RRsets with signatures need to be in the zone long enough that any cached unsigned RRsets in resolver's caches have expired. If you call 'rndc dnssec -status ' you might see that the "zone rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS may be submitted and that is the time when the corresponding CDS/CDNSKEY records will be published. Also, please document the dangers of putting a dnssec-policy usage directive in the options {} stanza (unless something signficant has changed since version 9.16.15, and bind now knows not to sign zones that really shouldn't be signed locally - but even if that's the case, you could document what version that changed in). That's a good addition. There are a bunch of other suggestions to improve the documentation that I am planning to make and I'll add this suggestion to the list. Thanks. Thanks again for making DNSSEC so easy to implement (as long as you avoid classic rookie errors). :-) Thanks for trying it out and reporting back, this way we can improve it even more. Best regards, Matthijs cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users