onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: > On 10-08-2022 11:13, Magnus Holmgren wrote: > > One question: Is it > > necessary to use rndc dnssec -checkds or is that only meant as a backup, > > and named is supposed to query the parent for DS records automatically? > > That depends if you have set up parental-agents. If not, then you need > to run 'rndc dnssec -checkds'.
I see. I find the documentation a bit sparse, however. "A parental agent is the entity that is allowed to change a zone’s delegation information (defined in RFC 7344)."; "Parental Agent: The entity that the Child has a relationship with to change its delegation information." So what list of servers is it that I'm configuring, exactly? The "hard" part is change the delegation information, but that's done through CDS records, which it turns out our registrar supports. Verifying that the new DS record is in place should be a trivial matter of walking the chain from the root zone, should it not? Should I simply list a couple of the respective TLD's name servers? The registrar doesn't provide any special server(s) for the purpose, AFAICT. Is the idea that you query the parental agent to see that they've picked up the CDS and then you trust that the parent zone will be updated within the parent-propagation-delay? That doesn't seem right; you'd want to make sure that the new DS is visible to the world, right? Thanks, -- Magnus Holmgren, developer MILLNET AB, Datalinjen 1, 583 30 Linköping -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
