[dns-operations] About KASP
Matthijs Mekking
matthijs at pletterpet.nl
Tue Jun 27 06:53:55 UTC 2023
Hi,
This is a topic better suited at bind-users at lists.isc.org, but I'll
respond here inline.
On 6/26/23 15:19, daniel majela wrote:
> Hey guys....
>
> I'm testing KASP...bind9 9.16.23
> I created a policy like this...
> dnssec-policy "my-policy" {
> dnskey-ttl 3600;
> keys {
> ksk lifetime P1Y algorithm ecdsap256sha256;
> zsk lifetime 60d algorithm ecdsap256sha256;
> };
> nsec3param iterations 0 opt at salt-length 8;
>
> The KSK and ZSK key generation were created correctly and I kept the
> "inline-signing yes" line.
> My doubt is the following.
> Every 2 months the ZSK replaces the keys automatically and I shouldn't
> have any problems correct?
Correct.
> Every 1 year the KSK key will be replaced and I will have to observe the
> new HASH value and configure it in mine (registro.br
> <http://registro.br>). My doubt is whether my applications within the
> zone that generated a new ksk key will be outside? How much time do I
> have to replace the hash value in (registro.br <http://registro.br>)? I
> couldn't understand that.... there are many zones that I have and how to
> manage that "tomorrow" a KSK will expire.
After introducing a new KSK, after some time a CDS/CDNSKEY record will
be added to the zone. The rollover will not continue until you tell BIND
9 that the DS (a.k.a. the hash value) is in the parent.
After you have seen the DS in the parent, you should use 'rndc' to tell so:
rndc dnssec -checkds published -key <keyid> <zone>
If you replaced the DS in the parent, also tell BIND so with:
rndc dnssec -checkds withdrawn -key <keyid> <zone>
Alternatively you can set up parental-agents that will query those
servers for the DS RRset during KSK rollover.
Best regards,
Matthijs
> Thanks.
>
> --
> Daniel Majela Galvão
> http://br.linkedin.com/pub/daniel-souza/6/1b1/774
> <http://br.linkedin.com/pub/daniel-souza/6/1b1/774>
>
> (55-012) - 9-8201-9885
> (55-012) - 9-9761-1511
> (55-012) - 32076909
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list