DLV validation fails after ksk rollover

Chris Thompson cet1 at cam.ac.uk
Tue Jun 23 16:16:53 UTC 2009

On Jun 23 2009, R Dicaire wrote:

>Hi folks...Yesterday I performed a DNSSEC KSK rollover, updated DLV
>with the new keys, and confirmed successful updates to DLV via their
>script. According to DLV all zones are good. Upon completing this, I
>then removed the old keys from the DLV db for each zone I have
>Now when I attempt to validate lookups against DLV, the lookups fail.
>To test lookup I was using:
>dig +dnssec www.kritek.net aaaa
>Here's the logging output using debug 3 for dnssec:
>I don't know the frequency that DLV updates its records, so I don't
>know if this is simply a matter of waiting for them to update (its
>been ~24 hours since I completed the ksk rollover, and updated DLV
>with the new keys), or if there's a configuration issue at my end, or
>if I deleted my old keys from DLV too soon.

$ dig +short soa dlv.isc.org
ns-int.isc.org. hostmaster.isc.org. 2009061901 7200 3600 2419200 3600

The dlv.isc.org zone has not been updated since Friday. (Yes, ISC
do use human-readable serial numbers.) You now have only a KSK with
tag 33834, while dlv.isc.org has DLV records for you only with a tag
of 35856, presumably referring to your old KSK.

Whether cycling your registered KSKs *ought* to have got the dlv.isc.org
zone updated by now, I'll have to leave it to ISC to say. But belt and
braces - always check yourself.

>Which begs another question: I recall reading in an RFC that there
>were a couple or three different "policies" regarding the manner of
>ksk rollovers, one being pre-publish, is this the method best suited
>for DLV use?
>The last time I performed a ksk rollover, I didn't immediately remove
>the old keys fom DLV, and I suspect this might be the cause for my
>current lookup issues.

I would do:

  1. Add a second KSK to your zone.
  2. Register the second KSK at dlv.isc.org. 
  3. Make sure the new DS records are published.
  4. De-register the original KSK at dlv.isc.org.
  5. Remove the original KSK from your zone.

There ought also to be delays in there to allow old things in caches
to expire.

The point is that having multiple KSKs is cheap, as only the DNSKEY
RRset is signed with them. 

>Everything used locally is bind 9.6.1 on slackware linux 12.0/12.1 and
>freebsd 7.2
>I'm not sure how to further troubleshoot DLV lookup problems. Any
>help/pointers/etc would be greatly appreciated.

Useful to me diagnosing your problem were

  dig dlv kritek.net.dlv.isc.org.
  dig +dnssec +cd dnskey kritek.net.

and observing that the key tags didn't agree.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list