Magnus,
On 11-08-2022 11:26, Magnus Holmgren wrote:
onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking:
On 10-08-2022 11:13, Magnus Holmgren wrote:
One question: Is it
necessary to use rndc dnssec -checkds or is that only meant as a backup,
and named is supposed to query the parent for DS records automatically?
That depends if you have set up parental-agents. If not, then you need
to run 'rndc dnssec -checkds'.
I see. I find the documentation a bit sparse, however. "A parental agent is
the entity that is allowed to change a zone’s delegation information (defined
in RFC 7344)."; "Parental Agent: The entity that the Child has a relationship
with to change its delegation information." So what list of servers is it that
I'm configuring, exactly? The "hard" part is change the delegation
information, but that's done through CDS records, which it turns out our
registrar supports. Verifying that the new DS record is in place should be a
trivial matter of walking the chain from the root zone, should it not? Should
I simply list a couple of the respective TLD's name servers? The registrar
doesn't provide any special server(s) for the purpose, AFAICT.
There are two common scenarios, I think.
First is list all the public parent servers and add those to your
parental-agents configuration. BIND will only continue the rollover if
the new DS has been seen at all those servers.
Second is set up a local validating resolver. When the DS is validated
by the resolver, you can assume it is published correctly in the parent.
Is the idea that you query the parental agent to see that they've picked up
the CDS and then you trust that the parent zone will be updated within the
parent-propagation-delay? That doesn't seem right; you'd want to make sure
that the new DS is visible to the world, right?
Not really.
BIND will query the parental agent to see if they published the DS
(corresponding to the CDS, yes). So it knows for sure it is visible to
the world.
The parent-propagation-delay is a safety delay to ensure that the DS has
been published to all parent secondaries.
Best regards,
Matthijs
Thanks,
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
