Re: AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+
Klaus Darilion via bind-users wrote: > > By reading this KB I do not know how the user will be informed which DS > (or DNSKEY) must be submitted to the parent zone. I know you to convert > a DNSKEY to DS, but IMO the KB is very good but missest hat point. I would expect the zone's apex CDS and CDNSKEY records to change, but neither are mentioned in the KB article. Tony. -- f.anthony.n.finchhttps://dotat.at/ a fair voting system for all elections ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+
Thanks, I got some more suggestions to improve the KB article, I'll include yours to that list. On 10-08-2021 15:28, Klaus Darilion wrote: On 10-08-2021 13:38, Klaus Darilion wrote: Hi Matthijs! We would like to encourage you to change your configurations to 'dnssec-policy'. See this KB article for migration help: https://kb.isc.org/docs/dnssec-key-and-signing-policy Some comments to this KB article and dnssec-policy: - The article should mention how to retrieve the DS record from Bind. I am not sure what you are asking. Do you mean how to convert the DS from the DNSKEY record so you can submit it to the registrar? Yes. By reading this KB I do not know how the user will be informed which DS (or DNSKEY) must be submitted to the parent zone. I know you to convert a DNSKEY to DS, but IMO the KB is very good but missest hat point. - How does Bind handle duplicate keyids when generating new keys? Will Bind ensure that there will not be any duplicate key ideas or will it just use the duplicate keys? In the latter case the " rndc dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an user perspective duplicate keyids should be avoided) BIND will check for key id collision. When a conflict (for the same algorithm) is detected a new key will be generated. Thanks for the info, could be mentioned somewhere Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+
> On 10-08-2021 13:38, Klaus Darilion wrote: > > Hi Matthijs! > > > >> We would like to encourage you to change your configurations to > >> 'dnssec-policy'. See this KB article for migration help: > >> > >> https://kb.isc.org/docs/dnssec-key-and-signing-policy > > > > Some comments to this KB article and dnssec-policy: > > > > - The article should mention how to retrieve the DS record from > > Bind. > > I am not sure what you are asking. Do you mean how to convert the DS > from the DNSKEY record so you can submit it to the registrar? Yes. By reading this KB I do not know how the user will be informed which DS (or DNSKEY) must be submitted to the parent zone. I know you to convert a DNSKEY to DS, but IMO the KB is very good but missest hat point. > > - How does Bind handle duplicate keyids when generating new keys? > > Will Bind ensure that there will not be any duplicate key ideas or > > will it just use the duplicate keys? In the latter case the " rndc > > dnssec -checkds -key 12345 ..." commands will be ambiguous. (From an > > user perspective duplicate keyids should be avoided) > > BIND will check for key id collision. When a conflict (for the same > algorithm) is detected a new key will be generated. Thanks for the info, could be mentioned somewhere Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users