Re: [KASP] Key rollover

Wed, 15 Feb 2023 01:01:06 -0800 

On 14/02/23 05:39, adrien sipasseuth wrote:
"You configure parental agents and named will check which DS’s are published.  Named won’t complete the 
roll until it knows the new DS is published."
=> what is parental agent ? i don't find this term in Bind documentation. From what I understand, you have to specify to Bind that the new DS is published with the command: rndc dnssec -checkds -key <id new ksk> published <my-zone>
Have a look at https://downloads.isc.org/isc/bind9/9.18.11/doc/arm/html/reference.html and search for "|parental-agents|"? (The basic idea is that BIND will automatically poll to see if the new DS has been published, rather than relying on you to run the rndc command.) 

"If it was me, I'd set the KSK to not roll-over automatically, and
instead create a recurring reminder for yourself to initiate the KSK
roll-over manually? That way you'd never get caught out with a KSK
roll-over happening when you weren't prepared for it? "

=> I don't know if I can get a policy for ZSK and a manual method for 
KSK. From what I understand if I want to use a policy I have to remove 
"auto-dnssec maintain;" which is necessary for the manual method right?



You can configure your dnssec-policy to automatically roll the ZSK only, 
and then you can manually roll the KSK. Just set the policy to give the 
KSK an unlimited lifetime, e.g.:


dnssec-policy 90dayzsk {
        keys {
                ksk lifetime unlimited algorithm ecdsa256;
                zsk lifetime P90D algorithm ecdsa256;
        };
};

You can trigger the (KSK) roll-over with: rndc dnssec -rollover -key xxx


BIND will then schedule the creation of the new key, etc, and all you 
need to do is change the DS key (in the parent zone) at the appropriate 
time, then (if not using parental-agents) tell BIND that you've done it, 
and it will take care of retiring the old key.





In the meantime, I wonder if I can't stay on the manual method even 
with a bind 9.18? I read that the auto-dnssec directive might 
disappear in favor of dnssec-policy. Does that mean that it might not 
be possible to do it manually anymore? source here => 
https://kb.isc.org/v1/docs/dnssec-key-and-signing-policy

See previous answer. IMHO transitioning to using dnssec-policy is 
definitely worth it! :-)
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users























					Reply via email to