Project

General

Profile

Bug #720

Updated by Marc Dequènes about 3 years ago

This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`. 

 We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking): 
 * "old apparmor profile in the way":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958934 
 * "does not properly import keys and states from old system":https://gitlab.isc.org/isc-projects/bind9/-/issues/2404 
 * "rndc dnssec -rollover takes a *very* long time to be taken into account; not good for emergency rollover":https://gitlab.isc.org/isc-projects/bind9/-/issues/2488 
 * "dnssec-policy checkds takes a long time to be taken into account":https://gitlab.isc.org/isc-projects/bind9/-/issues/2500 
 * "implement check if the DS record has been published":https://gitlab.isc.org/isc-projects/bind9/-/issues/1126 

 Tickets to keep track of: 
 * "NSEC3 RRs not maintained properly; we are not affected but that's bad":https://gitlab.isc.org/isc-projects/bind9/-/issues/2498 
 * "new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY (RFC 7344)":https://gitlab.isc.org/isc-projects/bind9/-/issues/1890 

 Features we really need: 
 * -publishing of CDS/CDNSKEY- handled by KASP 
 * -automate using published CDS/CDNSKEY in parent zones we manage- created support with a crontab in the bind9 role 
 * notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream 
 * automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar 
 * rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine) 

Back