Bug #720
Updated by Marc Dequènes over 3 years ago
This is the migration from the preliminary DNSSEC implementation called `dnssec-keymgr` to the integrated KASP scheduler with `dnssec-policy`. We encountered a few bugs or limitations (the later being expected improvements from the old system that are still dearly lacking): * "old apparmor profile in the way":https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958934 * -"does not properly import keys and states from old system":https://gitlab.isc.org/isc-projects/bind9/-/issues/2404- fixed in 9.16.11 * -"Migrating to dnssec-policy, DS is set to rumoured":https://gitlab.isc.org/isc-projects/bind9/-/issues/2544- could not be reproduced upstream (just for reference) * -"rndc "rndc dnssec -rollover takes a *very* long time to be taken into account; not good for emergency rollover":https://gitlab.isc.org/isc-projects/bind9/-/issues/2488 planned for 9.16.4 or 9.16.5- 9.16.5 * "implement check if the DS record has been published":https://gitlab.isc.org/isc-projects/bind9/-/issues/1126 (should be in 9.16.19) * -automatic purge of old keys- _purge-keys_ added in 9.16.13 * -"NSEC3 RRs not maintained properly; we are not affected but that's bad":https://gitlab.isc.org/isc-projects/bind9/-/issues/2498- fixed in 9.16.12 * "new KSK submission hook; could be useful until registrars properly support CDS/CDNSKEY (RFC 7344)":https://gitlab.isc.org/isc-projects/bind9/-/issues/1890 Features we really need: * -publishing of CDS/CDNSKEY- handled by KASP * -automate using published CDS/CDNSKEY in parent zones we manage- created support with a crontab in the bind9 role * notify Bind when the DS is published/withdrawn: I guess we would need to make a script since it's probably gonna take some time before it's added upstream * automate using published CDS/CDNSKEY in parent zones we do not manage: currently Gandi, either with the old XMLRPC API or maybe change registrar * rewrite the rollover notification script for KASP (needed until all is automated and to check all is fine)