Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 604
    • Issues 604
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 87
    • Merge requests 87
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #2710
Closed
Open
Issue created May 19, 2021 by Matthijs Mekking@matthijs🏡Developer

Allow for arbitrary DNSKEY/CDS/CDNSKEY records to be published

To support the multi-signer model (2), we want to allow arbitrary CDS/CDNSKEY records to be published in the zone. Currently this is not possible, because zone_cdscheck will error if there are CDS/CDNSKEY records in the zone that do not have a matching DNSKEY record.

The multi-signer model (2) ensures for a safe transition from one provider to another provider without going insecure. In this model, both providers have their own KSK. To rollover to the other provider, the DS records of both KSKs need to be published at some point, and if the double DS RRset is known to the world, the old DS record can be removed and the transition to the new provider is complete.

If the parent supports DNSSEC Child-Parent synchronization, it may query for the child zone servers for CDS/CDNSKEY records in order to update their DS RRset. In the case of a provider transition, both providers should publish the CDS/CDNSKEY RRset that contain two entries, one corresponding to the KSK of one provider, one corresponding to the KSK of the other provider.

It should be possible that such CDS/CDNSKEY record is added to the zone file, or it may be added with a Dynamic Update.

Edited Oct 05, 2022 by Matthijs Mekking
Assignee
Assign to
Time tracking