Which parental-agent to use is up to you. Something you trust.
You can also configure multiple, if so then all parental agents will
perform the DS check and only if all parental agents agree (have seen
the DS), BIND will set the DS as "seen published in the parent" and the
rollover will continue.
Best regards,
Matthijs
On 14-10-2022 16:33, PGNet Dev wrote:
This is a log level bug. This log happens when BIND want to check the
parental-agents if the DS has been published. But if you don't have
parental-agents set up, the list of keys to check will be empty. Hence
the "not found" result.
Thanks for reporting, this will be fixed in the next release, it
should be a debug log level.
+1 o/
i'd completely missed 'parental-agents' :-/
sounds like i likely *should* have it setup in any case; esp if using
dnssec-policy key rollovers (i am)
reading
https://bind9.readthedocs.io/en/latest/chapter5.html?highlight=parental-agents#key-rollover
i get the part it plays
unclear though which specific server one should use; in the example txt,
"Here one server, 192.0.2.1, is configured for BIND to send DS
queries to, to check the DS RRset for dnssec-example during key
rollovers. This needs to be a trusted server, because BIND does not
validate the response."
atm, my registrar/TLD don't support CDS/CDNSKEY (for .com, in this case)
so my DS RECORD gets manually entered @ registrar's web portal.
then, record propagates to roots, which -- eventually -- return
RRSIG/RRSET data on queries.
for rollover mgmt, what server should be set as parental-agent?
my registrar's?
a root?
something 'big', like cloudflare/1.1.1.1 ?
other?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users