DLV validation fails after ksk rollover
Mark Andrews
marka at isc.org
Wed Jun 24 00:10:03 UTC 2009
In message <Prayer.1.3.1.0906231716530.31092 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Jun 23 2009, R Dicaire wrote:
>
> >Hi folks...Yesterday I performed a DNSSEC KSK rollover, updated DLV
> >with the new keys, and confirmed successful updates to DLV via their
> >script. According to DLV all zones are good. Upon completing this, I
> >then removed the old keys from the DLV db for each zone I have
> >registered.
> >Now when I attempt to validate lookups against DLV, the lookups fail.
> >To test lookup I was using:
> >
> >dig +dnssec www.kritek.net aaaa
> >
> >Here's the logging output using debug 3 for dnssec:
> >
> >http://www.ardynet.com/kritek-dlv-fail.txt
> >
> >I don't know the frequency that DLV updates its records, so I don't
> >know if this is simply a matter of waiting for them to update (its
> >been ~24 hours since I completed the ksk rollover, and updated DLV
> >with the new keys), or if there's a configuration issue at my end, or
> >if I deleted my old keys from DLV too soon.
>
> $ dig +short soa dlv.isc.org
> ns-int.isc.org. hostmaster.isc.org. 2009061901 7200 3600 2419200 3600
>
> The dlv.isc.org zone has not been updated since Friday. (Yes, ISC
> do use human-readable serial numbers.) You now have only a KSK with
> tag 33834, while dlv.isc.org has DLV records for you only with a tag
> of 35856, presumably referring to your old KSK.
>
> Whether cycling your registered KSKs *ought* to have got the dlv.isc.org
> zone updated by now, I'll have to leave it to ISC to say. But belt and
> braces - always check yourself.
Even if the update were published on the master instananeously
you still need to wait for the zone to transfer to all the
slaves and for the old DLV records to timeout of caches.
DNSSEC changes are not and never will be instaneous. You
either have to change the DLV/DS records in advance of
adding keys in or you need to wait for old DNSKEY RRset to
timeout before you change your DNSKEY RRset. You tried to
change both at once and that will never work.
> >Which begs another question: I recall reading in an RFC that there
> >were a couple or three different "policies" regarding the manner of
> >ksk rollovers, one being pre-publish, is this the method best suited
> >for DLV use?
> >
> >The last time I performed a ksk rollover, I didn't immediately remove
> >the old keys fom DLV, and I suspect this might be the cause for my
> >current lookup issues.
>
> I would do:
>
> 1. Add a second KSK to your zone.
> 2. Register the second KSK at dlv.isc.org.
and the parent zone when it is signed.
> 3. Make sure the new DS records are published.
Wait for caches to flush of the old data. The requires
waiting for the new data to be published first.
> 4. De-register the original KSK at dlv.isc.org.
and the parent zone.
> 5. Remove the original KSK from your zone.
>
> There ought also to be delays in there to allow old things in caches
> to expire.
>
> The point is that having multiple KSKs is cheap, as only the DNSKEY
> RRset is signed with them.
>
> >Everything used locally is bind 9.6.1 on slackware linux 12.0/12.1 and
> >freebsd 7.2
> >
> >I'm not sure how to further troubleshoot DLV lookup problems. Any
> >help/pointers/etc would be greatly appreciated.
>
> Useful to me diagnosing your problem were
>
> dig dlv kritek.net.dlv.isc.org.
> dig +dnssec +cd dnskey kritek.net.
I would added +multi as that catches failures to re-sign
the zone. dig will calculate the key id and print it with
+multi.
e.g.
dig +dnssec +cd +multi dnskey kritek.net.
Mark
> and observing that the key tags didn't agree.
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list