torsdag 11 augusti 2022 kl. 17:47:40 CEST skrev Matthijs Mekking: > Magnus, > > On 11-08-2022 11:26, Magnus Holmgren wrote: > > onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: > >> On 10-08-2022 11:13, Magnus Holmgren wrote: > >>> One question: Is it > >>> necessary to use rndc dnssec -checkds or is that only meant as a backup, > >>> and named is supposed to query the parent for DS records automatically? > >> > >> That depends if you have set up parental-agents. If not, then you need > >> to run 'rndc dnssec -checkds'. > > > > I see. I find the documentation a bit sparse, however. "A parental agent > > is > > the entity that is allowed to change a zone’s delegation information > > (defined in RFC 7344)."; "Parental Agent: The entity that the Child has a > > relationship with to change its delegation information." So what list of > > servers is it that I'm configuring, exactly? The "hard" part is change > > the delegation information, but that's done through CDS records, which it > > turns out our registrar supports. Verifying that the new DS record is in > > place should be a trivial matter of walking the chain from the root zone, > > should it not? Should I simply list a couple of the respective TLD's name > > servers? The registrar doesn't provide any special server(s) for the > > purpose, AFAICT. > > There are two common scenarios, I think. > > First is list all the public parent servers and add those to your > parental-agents configuration. BIND will only continue the rollover if > the new DS has been seen at all those servers. > > Second is set up a local validating resolver. When the DS is validated > by the resolver, you can assume it is published correctly in the parent.
I see you suggested multiple methods in https://gitlab.isc.org/isc-projects/ bind9/-/issues/1126, with "Automatic, by walking the parents" as the default, and an option check-ds, but nothing came of that? IIUC, I have to list IP addresses of parental agents; strings are interpreted as references to other parental-agents lists. But keeping the lists of IP addresses of the TLDs' name servers up to date manually is not sustainable, so I guess I'll just point to our recursing nameserver. Regards, -- Magnus Holmgren, developer MILLNET AB, Datalinjen 1, 583 30 Linköping -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
