Post AyIeA4e2Cqsgu31YeW by oldsysops@social.dk-libre.fr
 (DIR) More posts by oldsysops@social.dk-libre.fr
 (DIR) Post #AyIYB8mhhUo4J6CkF6 by oldsysops@social.dk-libre.fr
       2025-09-17T13:07:43Z
       
       0 likes, 0 repeats
       
       Have a question on DNSSEC KEY rollover (and bind).If i set up inline-signing and dnssec-policy on a zone, the key will rollover automatically ?I've just to put the DS record once, and it will rotate without an issue ?#DNSSEC #key #askFedi #bind
       
 (DIR) Post #AyIYB9o9tZZ3TttQ9I by bortzmeyer@mastodon.gougere.fr
       2025-09-17T13:16:31Z
       
       0 likes, 0 repeats
       
       @oldsysops Rollover of the ZSK or the KSK ? For the KSK, you will need an interaction with the parent domain and BIND cannot do it by itself.
       
 (DIR) Post #AyIds1J5sSExL3cX9k by x_cli@infosec.exchange
       2025-09-17T13:29:52Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @oldsysops Would CDS/CDNSKEY not work?https://bind9.readthedocs.io/en/latest/dnssec-guide.html#cds-cdnskey
       
 (DIR) Post #AyIds2VBQzVN2qHhdg by bortzmeyer@mastodon.gougere.fr
       2025-09-17T14:20:16Z
       
       0 likes, 0 repeats
       
       @x_cli @oldsysops Very few registries/registrars implement it.
       
 (DIR) Post #AyIeA4e2Cqsgu31YeW by oldsysops@social.dk-libre.fr
       2025-09-17T14:22:23Z
       
       0 likes, 0 repeats
       
       @bortzmeyer@mastodon.gougere.fr arg so if i've got a signed domain i'll have to update the DS record often..not cool
       
 (DIR) Post #AyIeA5mZyZJIQq1tbs by bortzmeyer@mastodon.gougere.fr
       2025-09-17T14:23:34Z
       
       0 likes, 0 repeats
       
       @oldsysops No, because there it no serious reasons to change the KSK often. (I changed mine twice in more than ten years.)
       
 (DIR) Post #AyIhHaag89CLs3jIA4 by oldsysops@social.dk-libre.fr
       2025-09-17T14:43:52Z
       
       0 likes, 0 repeats
       
       @bortzmeyer@mastodon.gougere.fr you aren't require to change it ?
       
 (DIR) Post #AyIhHbeGCJep9SPfNo by bortzmeyer@mastodon.gougere.fr
       2025-09-17T14:58:32Z
       
       0 likes, 0 repeats
       
       @oldsysops No. Who would require that, anyway?
       
 (DIR) Post #AyIjSrvaDAKQjd0ueW by oldsysops@social.dk-libre.fr
       2025-09-17T15:21:35Z
       
       0 likes, 0 repeats
       
       @bortzmeyer@mastodon.gougere.fr i may misunderstand the doc, but i was getting the felling that all keys should be rotate, if it's just the zsk, i'm fine with that
       
 (DIR) Post #AyIjSspEsEqdWF3MP2 by bortzmeyer@mastodon.gougere.fr
       2025-09-17T15:22:59Z
       
       0 likes, 0 repeats
       
       @oldsysops There are different opinions on whether it is a good idea to rotate the KSK but nobody said it should be required (the root changed its KSK only once since it was signed).
       
 (DIR) Post #AyJEaf9KhYTs02dpke by pmevzek@framapiaf.org
       2025-09-17T21:11:42Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @x_cli @oldsysops True. Registrars won't be happy if registries do it, and registrars have no incentives to do it, preferring to force clients to also use their own DNS service. As such technically there is no chance for improvements there in coverage, (https://www.ietf.org/archive/id/draft-ietf-dnsop-generalized-notify-07.html could be a technical improvement for speed of convergence), and like IPv6 or DNSSEC this would happen at scale.. only if written in contracts as mandatory (ICANN to registries/registrars) [+ work on DELEG(I)]