mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity

Add CDS/CDNSKEY DELETE documentation

Browse Source 
Mention in the DNSSEC guide in the "revert to unsigned" recipe that you
can publish CDS and CDNSKEY DELETE records to remove the corresponding
DS records from the parent zone.
This commit is contained in:
Matthijs Mekking 2022-04-12 15:26:18 +02:00
parent ebbcf4c34f
commit f088657eb1
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/dnssec-guide/recipes.rst
View File

@ -1067,6 +1067,12 @@ Below is an example showing how to remove DS records using the
Revert to Unsigned Step #4
If your parent allows managing DS record via CDS/CDNSKEY, as described in
:rfc:`5155`, you could add CDS/CDNSKEY DELETE records in your zone to signal
that the corresponding DS records from the parent zone needs to be removed.
If it is unclear which format the parent zone is expecting, you should publish
both CDS and CDNSKEY DELETE records.
To be on the safe side, wait a while before actually deleting
all signed data from your zone, just in case some validating resolvers
have cached information. After you are certain that all cached
@ -1099,7 +1105,8 @@ Then use :option:`rndc reload` to reload the zone.
The "insecure" policy is a built-in policy (like "default"). It will make sure
the zone is still DNSSEC maintained, to allow for a graceful transition to
unsigned.
unsigned. It also publishes the CDS and CDNSKEY DELETE records for you when
the time is right.
When the DS records have been removed from the parent zone, use
:option:`rndc dnssec -checkds -key id withdrawn example.com <rndc dnssec>` to tell :iscman:`named` that