On 4/11/23 13:14, David Carvalho wrote:
Hello and thank you so much for your help. Regarding question 1, My
version is 9.16-9.1623-0.9.el8...so I got the bug. No update
available from Oracle Linux yet, so I'll create a folder and maintain
a copy of those files there.

In which situation should I be required to resend my key to the top
domain? I'll have to read more about ZSK, KSK and CSK rollovers. All
of this is new to me so far.

I think it would be useful to read this knowledge base article if all is new to you:


Basically in the following two scenarios you need to publish the public key to the parent domain:

1. Enabling DNSSEC
2. KSK rollover

With the default policy, KSK rollover is not scheduled, so only after you manually roll the key you need to publish (and withdraw) the DS records from the parent.

When exactly? You can check with 'rndc dnssec -status <zone>'. If the DS state is rumoured it is safe to submit the DS to the parent.

Best regards,


Thanks! David Carvalho

-----Original Message----- From: bind-users
<bind-users-boun...@lists.isc.org> On Behalf Of Matthijs Mekking Sent: 11 April 2023 11:16 To: bind-users@lists.isc.org Subject: Re:
Fully automated DNSSEC with BIND 9.16

Hello David,

On 4/11/23 12:02, David Carvalho via bind-users wrote:
Hello, hope everyone is fine.

So it seems that going to Bind version 9.16 was the right call as
it simplifies DNSSEC a lot.

Nevertheless, I would like to clarify some things because our organization has a parent domain and I host my own e-mail servers.
I know they had problems while implementing DNSSEC on the top
domain, and some configurations had to be made to let subdomain
e-mail servers to still work after DNSSEC.

Following RedHat tutorial, all I had to do was add “*dnssec-policy default;”* into one of my zones for testing purposes. I’m not
testing Reverse zones yet.

After this, 3 files “Kmy.domain***” were created:




Three  files regarding my zone were also created:


And the following 2, which I’m not sure what their purpose is

*My.domain*.*jbk* and*my.domain.signed.jnl*

The .jnl files are journal files and are created when a zone uses
dynamic update to store changes that are made to zone files.

The .jbk files are truly temporary files and should be removed again
when writing the contents of the zone to file.

There are also “managed-keys.bind” and “managed-keys.bind.jnl”

These are trust anchor files, and store the state of those keys.
These will be updated on a restart.

My questions:

1. Everytime I restart the service, it seems all these files are recreated. Does this mean that every time I make a change in the host zone, I need resend the public key to my top domain?

No, the key files (.key, .private, .state) should also not be
recreated upon restart (a bug that would recreate key files every
keymgr run was fixed in 9.16.30).

2. Do Parental Agents help with this?

Not in this case, because there is no need to send the public key to
the parent domain. Parental agents only help to automatically detect
if the corresponding DS has been published.

Without parental agents configured you need to use 'rndc dnssec
-checkds' to tell BIND that a certain DS has been published/withdrawn
in order to continue key rollover.

3. Which format should I use when providing the key to the top
level domain?

*         dnssec-dsfromkey


*         grep DNSKEY /var/named/K*/*example.com.+013+61141.key*/

I assume you are submitting the public key to your registrar and it
depends on what format your registrar accepts.

Best regards,


Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list

Reply via email to