Bug #720
Bind9 KASP Migration Problems
Start date:
2018-05-07
Due date:
% Done:
0%
Estimated time:
(Total: 0:00 h)
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:
Description
This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.
We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking):- old apparmor profile in the way
- does not properly import keys and states from old system
- rndc dnssec -rollover takes a very long time to be taken into account; not good for emergency rollover
- dnssec-policy checkds takes a long time to be taken into account
- implement check if the DS record has been published
- NSEC3 RRs not maintained properly; we are not affected but that's bad
- new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY
publishing of CDS/CDNSKEYhandled by KASPautomate using published CDS/CDNSKEY in parent zones we managecreated support with a crontab in the bind9 role- notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream
- automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar
- rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)
Subtasks