On Tue, Aug 10, 2021 at 08:51:04AM -0500, Tim Daneliuk via bind-users <bind-users@lists.isc.org> wrote:
> On 8/10/21 7:51 AM, Matthijs Mekking wrote: > > Hi Klaus, > > > > On 10-08-2021 13:38, Klaus Darilion wrote: > >> Hi Matthijs! > >> > >>> We would like to encourage you to change your configurations to > >>> 'dnssec-policy'. See this KB article for migration help: > >>> > >>> https://kb.isc.org/docs/dnssec-key-and-signing-policy > >> > >> Some comments to this KB article and dnssec-policy: > >> > >> - The article should mention how to retrieve the DS record from > >> Bind. > > > So just to be sure I'm doing the right thing, I've added this to my > options stanza: > > dnssec-policy "default"; > > Then restarted named and now all the signing magic is taken care of for > me for all zones? (I was not previously using signing.) > > TIA, I'm very new to this myself (so be warned) but that seems to be almost it. BUT: You also MUST convey the DS for the default Combined Signing Key (CSK) to your registrar. That will be a manual process that your registrar can tell you about. For some, there's a web interface. For others, it's via email. For others, you have to use their DNS servers and let them do it for you (but that's a dull option). To get the DS record information to convey to the registrar, after starting to use the default policy. look for the CDS record (the child version of the DS record) with dig: dig CDS EXAMPLE.ORG For the default policy, you'll only have to do this once (or until your server gets compromised and you start again). But until you've done this, it's not done. The trust chain has to go all the way to the root, so you need the involvement of your registrar (to get your DS published and signed). Syntax question: In https://bind9.readthedocs.io/en/latest/dnssec-guide.html the double quotes are never used in the zone stanza where the dnssec-policy is referred to. The double quotes sometimes (but not always) appear in the dnssec-policy definition stanza. Are the double quotes optional in both cases? > -- > ---------------------------------------------------------------------------- > Tim Daneliuk tun...@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > _______________________________________________ cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users