Re: debsuryorg-archive-keyring

[Matthew Pounsett]

Somewhat related to this, the README in the bind.debian.net repository
still includes scripting which sets up packages.sury.org as the repository,
which no longer exists in the DNS.  That could use some cleanup.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Questions about automatic KSK and using an additional stand-by KSK

[Bernd Naumann]

I've followed the ARM and the DNSSEC Guide, as well as some ISC KB blog
posts.

What I got working on BIND 9.18.33:
* adding a dnsssec-policy
* adding a zone using that dnssec-policy
- setting only SOA, NS, and the  for NS for a minimal zone
* reload zone

I got an KSK and ZSK; the zone got signed; I added the KSK to
`trust-anchors` as an `initial-key`, and saw that the key got /managed/.

So far so good.

```
dnssec-policy "dn42-ec" {
keys {
ksk lifetime P1Y algorithm ecdsa256;
zsk lifetime P60D algorithm ecdsa256;
};
purge-keys 0;
};

zone "example.dn42" {
type primary;
file "/etc/bind/db.dn42.example";
dnssec-policy dn42-ec;
inline-signing yes;
allow-transfer {
fd00::/8;
};
};
```

```
# cat /etc/bind/keys/Kexample.dn42.+013+03829.key
; This is a key-signing key, keyid 3829, for example.dn42.
; Created: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Publish: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Activate: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Inactive: 20260220195943 (Fri Feb 20 19:59:43 2026)
; Delete: 20260221215943 (Sat Feb 21 21:59:43 2026)
; SyncPublish: 20250221210443 (Fri Feb 21 21:04:43 2025)
example.dn42. 3600 IN DNSKEY 257 3 13
pMlQUzpKNh2rgEh+DsazO8AiOHKFSpIvUltNPufKR26CugUU1p/1E8fi
atOqnOKIqUqrW+EJF/+RrgDPxfhW/A==

# cat /etc/bind/keys/Kexample.dn42.+013+41655.key
; This is a zone-signing key, keyid 41655, for example.dn42.
; Created: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Publish: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Activate: 20250220195943 (Thu Feb 20 19:59:43 2025)
; Inactive: 20250421195943 (Mon Apr 21 19:59:43 2025)
; Delete: 20250501210443 (Thu May  1 21:04:43 2025)
example.dn42. 3600 IN DNSKEY 256 3 13
oRwtJvxmISF4H9eMXkbqgL87muMvwP/D3v+dzki0GoYhl3d7OD03Jaeg
ykM+Qra0swAGHNfpprwsmjiOL7J00Q==
```


I then generated an stand-by key `dnssec-keygen -G` and included it to
the zone.

I tried sync, freeze, /update/, reload, thaw; and
I tried to `update add` the DNSKEY Record.


But, my issue is now: **I don't see the second KSK in the zone.**

I went through the manual generation and sign process and IIRC adding a
second KSK and seeing afterwards 2x KSK and 1x ZKS wasn't an issue.

What mistakes I do when trying to add a stand-by KSK to a auto-managed
zone? Or do I need to stick with the manual update and signing process?

(In the end I want to have the second KSK known to resolver so they can
manage (rfc 5011) that key for later revocation and roll-over events.)

Thanks.
Bernd


OpenPGP_signature.asc
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users