[dns-operations] About KASP

Matthijs Mekking matthijs at pletterpet.nl
Tue Jun 27 06:53:55 UTC 2023 

Hi,

This is a topic better suited at bind-users at lists.isc.org, but I'll 
respond here inline.

On 6/26/23 15:19, daniel majela wrote:
> Hey guys....
> 
> I'm testing KASP...bind9 9.16.23
> I created a policy like this...
> dnssec-policy "my-policy" {
>       dnskey-ttl 3600;
>       keys {
>           ksk lifetime P1Y algorithm ecdsap256sha256;
>           zsk lifetime 60d algorithm ecdsap256sha256;
>       };
>       nsec3param iterations 0 opt at salt-length 8;
> 
> The KSK and ZSK key generation were created correctly and I kept the 
> "inline-signing yes" line.
> My doubt is the following.
> Every 2 months the ZSK replaces the keys automatically and I shouldn't 
> have any problems correct?

Correct.

> Every 1 year the KSK key will be replaced and I will have to observe the 
> new HASH value and configure it in mine (registro.br 
> <http://registro.br>). My doubt is whether my applications within the 
> zone that generated a new ksk key will be outside? How much time do I 
> have to replace the hash value in (registro.br <http://registro.br>)? I 
> couldn't understand that.... there are many zones that I have and how to 
> manage that "tomorrow" a KSK will expire.

After introducing a new KSK, after some time a CDS/CDNSKEY record will 
be added to the zone. The rollover will not continue until you tell BIND 
9 that the DS (a.k.a. the hash value) is in the parent.

After you have seen the DS in the parent, you should use 'rndc' to tell so:

     rndc dnssec -checkds published -key <keyid> <zone>

If you replaced the DS in the parent, also tell BIND so with:

     rndc dnssec -checkds withdrawn -key <keyid> <zone>

Alternatively you can set up parental-agents that will query those 
servers for the DS RRset during KSK rollover.

Best regards,

Matthijs


> Thanks.
> 
> -- 
> Daniel Majela Galvão
> http://br.linkedin.com/pub/daniel-souza/6/1b1/774 
> <http://br.linkedin.com/pub/daniel-souza/6/1b1/774>
> 
> (55-012) - 9-8201-9885
> (55-012) - 9-9761-1511
> (55-012) - 32076909
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list