Re: KASP Key Rollover: ZSK Disappears Immediately

Hi Nick, The timings are based on what is configured in the dnssec-policy: It is too costly to observe the zone every time to see if there is still a signature of the predecessor key. So yes: it takes the maximum possible time to determine when all signatures have been replaced. This time

Re: KASP Key Rollover: ZSK Disappears Immediately

On 03/10/2023 09:59, Eddie Rowe wrote: I appreciate the feedback.  I did make sure the ZSK is omnipresent and the issue still happens so it might be that my attempt to take the default policy and bring it down to 1 day to hurry along testing.  I will see if I can find any test policies in the

Re: KASP Key Rollover: ZSK Disappears Immediately

the default one with a greater amount of patience. From: bind-users on behalf of Nick Tait via bind-users Sent: Friday, September 29, 2023 5:37 PM To: bind-users@lists.isc.org Subject: Re: KASP Key Rollover: ZSK Disappears Immediately Sorry I just realised that all

Re: KASP Key Rollover: ZSK Disappears Immediately

Sorry I just realised that all that waffle about DS records is only relevant for KSKs (and CSKs), not ZSKs. So please disregard that. :-P But I think the "rumoured" vs. "omnipresent" thing is still relevant and is the most likely explanation for why the old ZSK doesn't stick around. I can

Re: KASP Key Rollover: ZSK Disappears Immediately

On 29/09/23 12:05, Eddie Rowe wrote: When I perform a ZSK key rollover the existing ZSK disappears *immediately* so not sure what I am missing when using the KASP to manage key rollover.  The state for the keys looks good and for this test I have TTL set to 1 hour..  But why does dig not show

KASP Key Rollover: ZSK Disappears Immediately

When I perform a ZSK key rollover the existing ZSK disappears immediately so not sure what I am missing when using the KASP to manage key rollover. The state for the keys looks good and for this test I have TTL set to 1 hour.. But why does dig not show me both DNSKEY records for the ZSK after

Re: [KASP] Key rollover

On 14/02/23 05:39, adrien sipasseuth wrote: "You configure parental agents and named will check which DS’s are published.  Named won’t complete the roll until it knows the new DS is published." => what is parental agent ? i don't find this term in Bind documentation. From what I understand,

Re: [KASP] Key rollover

Hi, "You configure parental agents and named will check which DS’s are published. Named won’t complete the roll until it knows the new DS is published." => what is parental agent ? i don't find this term in Bind documentation. >From what I understand, you have to specify to Bind that the new DS

Re: [KASP] Key rollover

You configure parental agents and named will check which DS’s are published. Named won’t complete the roll until it knows the new DS is published. > On 9 Feb 2023, at 19:49, Nick Tait via bind-users > wrote: > > On 9/02/23 05:17, adrien sipasseuth wrote: >> so it works BUT I need to know

Re: [KASP] Key rollover

On 9/02/23 05:17, adrien sipasseuth wrote: so it works BUT I need to know more than 48h in advance that the rollover is starting to submit the new KSK to my registar. How can I set this up if it's not with "public-safety"? If it was me, I'd set the KSK to not roll-over automatically, and

Re: [KASP] Key rollover

Hello, I waited 24 hours and then put my zone back in dnssec. after 24 everything seems ok... at least by doing a "rndc dnssec -status " everything is in omnipresent: Next rollover scheduled on Fri Feb 10 09:15:51 2023 - goal: omnipresent - dnskey: omnipresent - ds: omnipresent -

Re: [KASP] Key rollover

On 1/24/23 15:18, adrien sipasseuth wrote: Hello, I don't why DSState: hidden, it's ok with some online check tools like : - https://dnssec-analyzer.verisignlabs.com/ - https://zonemaster.net/fr/run-test

Re: [KASP] Key rollover

Hi Matthijs , my next key was generated yesterday as expected by policy (parameter "publish-safety 3d;"). My current key has been deleted from Bind (according to the logs) but it still exists on my primary server (I can still find the key and its status file). When I do a "dig DNSKEY ..." from

Re: [KASP] Key rollover

Hello, I don't why DSState: hidden, it's ok with some online check tools like : - https://dnssec-analyzer.verisignlabs.com/ - https://zonemaster.net/fr/run-test my master is hidden, it can be related ? How i can debug this DSState: hidden ? I found this command to check actual status : rndc

Re: [KASP] Key rollover

Hi Adrien, I don't think it is fine yet. I see in your state file the following line: > DSState: hidden This means the DS is not published according to BIND. > From my understanding, the second KSK should appear because I put the > parameter "publish-safety 3d;" that is to say 3 days before

Re: [KASP] Key rollover

Hello Matthijs, Indeed I had not published the DS at my registar because I thought that the second KSK would have appeared anyway at the time of the rollover. I published the DS yesterday and I reported to BIND with the command you gave me. I didn't find any error in the logs so everything must

Re: [KASP] Key rollover

Hi Adrien, Without any logs or key **state** files, I can't really tell what is going on. My only gut feeling is that you have never signaled BIND 9 that the DS has been published. You can run 'rndc dnssec -checkds -key 12345 published example.com' or set up parental-agents to do it for

[KASP] Key rollover

Hello, I put the management of DNSSEC with KASP, the zone is well functional. (dig with "AD" flag etc) On the other hand, I can't see when the key rollover period for my KSK is over (2 KSKs with a dig DNSKEY...) Without KASP, it was easy because I generated the second KSK key but with KASP, it