DuckCorp » DuckCorp Infrastructure

This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.

We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking):

• old apparmor profile in the way
• does not properly import keys and states from old system fixed in 9.16.11
• Migrating to dnssec-policy, DS is set to rumoured could not be reproduced upstream (just for reference)
• rndc dnssec -rollover takes a very long time to be taken into account; not good for emergency rollover planned for 9.16.4 or 9.16.5
• implement check if the DS record has been published (should be in 9.16.19)
• automatic purge of old keys purge-keys added in 9.16.13
• NSEC3 RRs not maintained properly; we are not affected but that's bad fixed in 9.16.12
• new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY

Features we really need:

• publishing of CDS/CDNSKEY handled by KASP
• automate using published CDS/CDNSKEY in parent zones we manage created support with a crontab in the bind9 role
• notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream
• automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar
• rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)