Hi Tom,
Because you just started signing your zone. The DNSKEY and RRSIG records
are published but have to wait a TTL time to before the DS may be
published, to avoid a situation where a resolver fetches the DS but
still has the corresponding DNSKEY query in the negative cache.
This time is based on the dnskey-ttl (60 seconds), publish-safety (1
hour), max-zone-ttl (1 day) and zone-propagation-delay (300 seconds).
- publish-safety is an additional wait period before continuing a key
roll, to allow some time to react on unforeseen events.
- max-zone-ttl should be set to your maximum used TTL in the zone. In
the future we may add the functionality to walk the zone and determine
the max-zone-ttl.
- zone-propagation-delay is an additional wait period to cover for the
time it takes between changes and actual publication.
All these values are there to be extra careful on key rollover timings.
You can lower these values in the dnssec-policy to speed up the process
for your test zone, or tweak them to better match your setup.
Best regards,
Matthijs
On 09-04-2020 08:27, Tom wrote:
Hi
Using BIND-9.16.1.
In the last ISC dnssec webinar
(https://www.youtube.com/watch?v=2aB__FZZQ84) I heared, that CDS/CDNSKEY
records automatically should be published when using dnssec-policies.
My policy looks like this:
dnssec-policy "test-policy" {
dnskey-ttl 60;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
};
};
and the zone like this:
zone "example.com" {
type master;
file "master/example.com.zone";
key-directory "/etc/named/keys/example.com";
dnssec-policy "test-policy";
};
When digging this zone for CDS/CDNSKEY records, then these keys are not
existing:
$ dig +norec +noall +answer @127.0.0.1 cds example.com
$ dig +norec +noall +answer @127.0.0.1 cdnskey example.com
The keyfile for "example.com" also do not show a "published"-date:
$ cat Kexample.com.+013+02624.key
; This is a key-signing key, keyid 2624, for example.com.
; Created: 20200409061638 (Thu Apr 9 08:16:38 2020)
; Publish: 20200409061638 (Thu Apr 9 08:16:38 2020)
; Activate: 20200409061638 (Thu Apr 9 08:16:38 2020)
example.com. 60 IN DNSKEY 257 3 13
uV/NtPZSL1fmO3FAi4pZCcbTl19iD3SizgVcDXGJEl1g4l/cHUGvVl33
3cx2cODA6RUj55pZa77g1VBtFBXByg==
Any hints, why in this case the dnssec-policy mechanism doesn't publish
the CDS/CDNSKEY records?
Many thanks.
Kind regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
