From owner-freebsd-questions@freebsd.org Thu Apr 11 16:30:39 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA6CD15884A6 for ; Thu, 11 Apr 2019 16:30:39 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2DB066DB71 for ; Thu, 11 Apr 2019 16:30:39 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id E17AA275D for ; Thu, 11 Apr 2019 16:30:38 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.212.184.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 253772638 for ; Thu, 11 Apr 2019 16:30:37 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk/253772638; dkim=none; dkim-atps=neutral Subject: Re: DNSSEC signatures To: freebsd-questions@freebsd.org References: <4e016c879f783ffda0993eed80293863.squirrel@webmail.harte-lyne.ca> From: Matthew Seaman Message-ID: <7f6f1240-97aa-3628-53ac-95290a98133b@FreeBSD.org> Date: Thu, 11 Apr 2019 17:30:34 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <4e016c879f783ffda0993eed80293863.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 2DB066DB71 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-3.00 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-1.00)[-0.996,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 16:30:39 -0000 On 11/04/2019 16:57, James B. Byrne via freebsd-questions wrote: > There are no other problems with these zones, yet. Does anyone know > what steps that I have not taken that are required to get automatic > inline zone resigning to work? You don't show which of your keys are ZSK's and which are KSK's -- the Zone Signing Keys are the ones that Bind will do all the automatic maintenance for, as those generally get rotated on a monthly basis and are used to sign the individual DNS RR's which probably change at an even faster rate. Key Signing Keys need manual update, since that is typically an anual task that involves having your zone registrar update the DS records for your domain synchronously with your performing a KSK rollover. If your KSK is out-of-date then you'll need to generate a new one and get it registered upstream ASAP, as the rest of the world (or at least the bits of it that pay attention to DNSSEC) will not be able to see your zone at all. Use dnsviz.net for debugging: it's invaluable when working on setting this up, and you should get in the habit of checking there at regular intervals to be sure there aren't any problems. I can heartily recommend Michael Lucas' "DNSSEC Mastery" as a slim volume that will explain what you need to do and why. See: https://mwl.io/nonfiction/networking#dnssec Cheers, Matthew