Re: Full automatic DNSSEC for hosted zones/domains
Hi Philippe, On 4/7/20 3:46 PM, Philippe Maechler wrote: > Hello bind users > >> The answer is almost, as long as the zone has a DNSSEC policy configured: >> >> zone "newdomain.de" { >> type master; >> file "../master/newdomain.de"; >> dnssec-policy default; >> } >> >> The only thing not yet fully automated is submitting the DS to the >> parent. You can do that as soon as named puts the CDS/CDNSKEY records in >> the zone. > > So you're saying, that with a DNSSEC policy configured, bind is creating CDS > records for me? If so, then when my registrar is supporting those records > (switch.ch), this zone fully automated in regards of DNSSEC? > Is the creation of CDS Records a config option or on by default? Yes, that is right. The creation of CDS and CDNSKEY records happens always and cannot be turned off with an option. > What about going from secure to insecure? Is this possible with dnssec policy > or do I then have to put the relevant CDS records in the zone by hand? This is not possible yet with dnssec-policy. I suggest to put the deletion CDS record in the zone, set dnssec-policy to none, and dnssec-signzone your zone temporarily. Best regards, Matthijs > > Best regards > Philippe > > signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Full automatic DNSSEC for hosted zones/domains
Am 07.04.2020 um 10:55 schrieb Matthias Fechner: > After bind was reloaded/restarted, it automatically creates the required > keys and fully maintain the zone, do key rollover, everything required > fully by itself? I got a private email pointing my to some webinars explaining the dnssec. I found them here: https://www.youtube.com/watch?v=MheHMWCOTvE=PLUwyH0o3uuICgnbQj_lQajRI_CzewZr7q I can really recommend this. It brings a lot of information nicely explained, very very helpful! I will continue with the series and will come back with some more specific questions ;) Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Full automatic DNSSEC for hosted zones/domains
Hello bind users > The answer is almost, as long as the zone has a DNSSEC policy configured: > > zone "newdomain.de" { > type master; > file "../master/newdomain.de"; > dnssec-policy default; > } > > The only thing not yet fully automated is submitting the DS to the > parent. You can do that as soon as named puts the CDS/CDNSKEY records in > the zone. So you're saying, that with a DNSSEC policy configured, bind is creating CDS records for me? If so, then when my registrar is supporting those records (switch.ch), this zone fully automated in regards of DNSSEC? Is the creation of CDS Records a config option or on by default? What about going from secure to insecure? Is this possible with dnssec policy or do I then have to put the relevant CDS records in the zone by hand? Best regards Philippe ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Full automatic DNSSEC for hosted zones/domains
Hi Matthias, The answer is almost, as long as the zone has a DNSSEC policy configured: zone "newdomain.de" { type master; file "../master/newdomain.de"; dnssec-policy default; } The only thing not yet fully automated is submitting the DS to the parent. You can do that as soon as named puts the CDS/CDNSKEY records in the zone. Best regards, Matthijs On 4/7/20 10:55 AM, Matthias Fechner wrote: > Dear all, > > is bind (version 9.16.1) able to do all DNSSEC required steps fully by > itself. > > So I only create a new zone for a domain and include it like for > newdomain.de: > zone "newdomain.de" { > type master; > file "../master/newdomain.de"; > ... > } > > After bind was reloaded/restarted, it automatically creates the required > keys and fully maintain the zone, do key rollover, everything required > fully by itself? > > Gruß > Matthias > signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users