Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 577
    • Issues 577
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 111
    • Merge requests 111
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #844
Closed
Open
Issue created Jan 28, 2019 by Tony Finch@fanfOwner

dnssec-checkds KSK rollover enhancements

This issue is a list of enhancements to dnssec-checkds intended to support automatic KSK rollovers.

The context for this is that dnssec-keymgr needs to have an interlock in the KSK rollover process to make sure the parent zone is up-to-date before dnssec-keymgr proceeds to make any potentially breaking changes. The current manual page sensibly suggests using dnssec-checkds for this purpose.

I intend to work on these features; this issue is for sketching out what I plan to work on and for refining the plan.

CDS / CDNSKEY support

At the moment, dnssec-checkds is unaware of CDS and CDNSKEY records.

It should be improved so that (in its normal mode of operation) dnssec-checkds will verify that the parent DS records match the child's CDS records. Unlike the current behaviour (which checks the delegation works, rather than being consistent) no differences will be permitted.

The idea is that CDS records are used to communicate the rollover state from dnssec-keymgr to dnssec-checkds, so dnssec-checkds only needs to look at the DNS, not at the keys on disk.

DS digest algorithm control

At the moment, dnssec-checkds expects both SHA-1 and SHA-256 DS digests. This should be amended to SHA-256 only by default.

When dnssec-checkds is comparing DS records against CDNSKEY or DNSKEY RRsets, it should be possible for the invoker to specify algorithms that must be present, or must not be present, or no preference.

Recursive vs authoritative lookups

At the moment, dnssec-checkds queries via the default recursive server. There is a risk that it will get a falsely positive answer if there is a large propagation delay between parental authoritative servers, but the local resolver happens to be talking to a parental server with a low delay.

In authoritative mode, dnssec-checkds should get the list of parent servers from the local resolver, then query each of them, and ensure they all give the OK.

Edited Jan 28, 2019 by Tony Finch
Assignee
Assign to
Time tracking