Project

General

Profile

Bug #720

Updated by Marc Dequènes 8 days ago

This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`.

We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking):
* "old apparmor profile in the way":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958934
* "does not properly import keys and states from old system":https://gitlab.isc.org/isc-projects/bind9/-/issues/2404
* "rndc dnssec -rollover takes a *very* long time to be taken into account; not good for emergency rollover":https://gitlab.isc.org/isc-projects/bind9/-/issues/2488
* "dnssec-policy checkds takes a long time to be taken into account":https://gitlab.isc.org/isc-projects/bind9/-/issues/2500
* "implement check if the DS record has been published":https://gitlab.isc.org/isc-projects/bind9/-/issues/1126

Tickets to keep track of:
* "NSEC3 RRs not maintained properly; we are not affected but that's bad":https://gitlab.isc.org/isc-projects/bind9/-/issues/2498
* "new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY (RFC 7344)":https://gitlab.isc.org/isc-projects/bind9/-/issues/1890

Features we really need:
* -publishing of CDS/CDNSKEY- handled by KASP
* -automate using published CDS/CDNSKEY in parent zones we manage- created support with a crontab in the bind9 role
* notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream
* automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar
* rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)

Back