On 14/02/23 05:39, adrien sipasseuth wrote:
"You configure parental agents and named will check which DS’s are
published. Named won’t complete the
roll until it knows the new DS is published."
=> what is parental agent ? i don't find this term in Bind
documentation. From what I understand, you have to specify to Bind
that the new DS is published with the command: rndc dnssec -checkds
-key <id new ksk> published <my-zone>
Have a look at
https://downloads.isc.org/isc/bind9/9.18.11/doc/arm/html/reference.html
and search for "|parental-agents|"? (The basic idea is that BIND will
automatically poll to see if the new DS has been published, rather than
relying on you to run the rndc command.)
"If it was me, I'd set the KSK to not roll-over automatically, and
instead create a recurring reminder for yourself to initiate the KSK
roll-over manually? That way you'd never get caught out with a KSK
roll-over happening when you weren't prepared for it? "
=> I don't know if I can get a policy for ZSK and a manual method for
KSK. From what I understand if I want to use a policy I have to remove
"auto-dnssec maintain;" which is necessary for the manual method right?
You can configure your dnssec-policy to automatically roll the ZSK only,
and then you can manually roll the KSK. Just set the policy to give the
KSK an unlimited lifetime, e.g.:
dnssec-policy 90dayzsk {
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime P90D algorithm ecdsa256;
};
};
You can trigger the (KSK) roll-over with: rndc dnssec -rollover -key xxx
BIND will then schedule the creation of the new key, etc, and all you
need to do is change the DS key (in the parent zone) at the appropriate
time, then (if not using parental-agents) tell BIND that you've done it,
and it will take care of retiring the old key.
In the meantime, I wonder if I can't stay on the manual method even
with a bind 9.18? I read that the auto-dnssec directive might
disappear in favor of dnssec-policy. Does that mean that it might not
be possible to do it manually anymore? source here =>
https://kb.isc.org/v1/docs/dnssec-key-and-signing-policy
See previous answer. IMHO transitioning to using dnssec-policy is
definitely worth it! :-)--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users