John Allen wrote:
For this exercise all time is measured in days
|<--------------------------- Key Life ------------------------------>| | | |<- Lead Time ->|<--------- Active Life --------->|<- Retirement ->| | | | | |____ __________|__________________________________|__________________| | | | | | | _P_ublish | | | | | | | |<- Create |<- _A_ctive _I_nactive ->| _D_elete->|
Problem:
- what is the easiest/best way of retrieving information on the current ZSK.
I use a symbolic link that I resolve using "readlink":
% ln -s Kexample.com.+008+25464.key Kexample.com.active.zsk % readlink Kexample.com.active.zsk Kexample.com.+008+25464.key
It would also be possible to retrieve a RRSIG from the active zonefile (or from an authoritative DNS server) and get the ZSK keytag number (field 6 of the RRSIG data) from there:
# dig soa sys4.de +dnssec ;; ANSWER SECTION: sys4.de. 3600 IN SOA ns.sys4.de. hostmaster.sys4.de. 2015012206 3600 3600 604800 3600 sys4.de. 3600 IN RRSIG SOA 8 2 3600 20150129030130 20150122135311 14544 sys4.de. xg6+KXifZyQj3URwaY6XaTsLcQn7g31DiVv+Q3u2IHBQzZZjAvkTm35W qjWDSsaD31jeNgQVCqvROHs9jmXM+LbSBqfxxLcdR9HFrhuTSZl03S4+ 9KIuAbfej7Fr/jguadPPel7ZfdKHf43QvUpb5iy3kxfGh9uzqAvad0BH h+E=
The current ZSK for sys4.de has the keytag 14544 and algorithm 8, so the name of the key-file on disk is "Ksys4.de.+008+14544.key" (true only for BIND 9 DNSSEC tools).
- Could any of the interval use TTLs if so which ones.
not TTLs alone, as the propagation time (master -> slaves) needs to be taken into account. If you have faith that propagation will happen in your SOA-refresh time:
* Time between "publish" and "active" is SOA-Refresh + TTL of the DNSKEY Record Set * Time between "inactive" and "deletion" is SOA-Refresh + largest TTL in the Zone
Because of the 2nd, it is recommended to not use excessive TTL times in DNS records in signed zones (I would recommend max 24 H = 86400 sec)
- Should the he interval in this setup be checked against TTLs.
Sorry, I'm not seeing what the "he" interval is. Can you explain?
Carsten