Mixing Algorithms for DNSSEC

Mark Elkins mje at posix.co.za
Sat Oct 15 10:11:35 UTC 2011 

Saw the light of day and decided to change my DNSSEC signing script to
create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not
mix these two in the same zone????

I've created a short script to demonstrate the issue.

I've Attached "RunTest" that simulates what I am doing.
It uses the zone "foo.com" - I've attached "db.foo.com.base" as a simple
zone.
I've attached the "output"
Bast to do this in a completely empty directory!

Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
the results.
Add a new KSK using RSASHA256 - prep the zone and sign again.
1 - Signer is confused???? - can not sign (or generate a new Signed
Zone)...
        Verifying the zone using the following algorithms: RSASHA1.
        Missing self signing KSK for algorithm RSASHA256
        The zone is not fully signed for the following algorithms:
        RSASHA256.
        dnssec-signzone: fatal: DNSSEC completeness test failed.
        
2 - The file "dsset-foo.com." has too many DS records. Why is
dnssec-signzone adding the DS records for a ZSK into dsset?

If everything is either RSASHA1 or RSASHA256 - everything is OK.

Bug? Simply how it should be by design? This really disturbs me - these
Keys take ages in the real world to migrate using reasonable timings -
do I have to Zap all my Keys - redo all zones. Is this always the case
when an Algorithm changes?

Versions: BIND 9.7.3-P3, dnssec-keygen: 9.7.3, dnssec-signzone: 9.7.3-P3
-- 
Mark Elkins <mje at posix.co.za>
Posix Systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RunTest
Type: application/x-shellscript
Size: 818 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/c183c733/attachment.bin>
-------------- next part --------------
$TTL 3600
@		IN	SOA	control.vweb.co.za. dns-admin.posix.co.za. (
			2011101501	; Serial number
			3600		; Refresh, 86400=1 day, 3600=1 hr
			1800		; Retry after 30 mins
			604800		; Expire after 7 days
			1800 )		; Negative TTL, 21600=6 hrs, 1800=30 mins

		IN	NS	secdns1.posix.co.za.
		IN	NS	control.vweb.co.za.
		IN	A	160.124.208.1

-------------- next part --------------
Generating key pair....++++++ ....................++++++ 
Kfoo.com.+005+03488
Generating key pair.........................................++++++ ................++++++ 
Kfoo.com.+005+56205
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked
db.foo.com.signed
total 40
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root  818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1187 Oct 15 11:56 db.foo.com
-rw-r--r-- 1 root root  335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root  159 Oct 15 11:56 dsset-foo.com.
-rw-r--r-- 1 root root  406 Oct 15 11:56 output
Generating key pair..............++++++ ...++++++ 
Kfoo.com.+008+13851
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test failed.
total 48
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root  426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root  423 Oct 15 11:57 Kfoo.com.+008+13851.key
-rw------- 1 root root 1012 Oct 15 11:57 Kfoo.com.+008+13851.private
-rw-r--r-- 1 root root  818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1610 Oct 15 11:57 db.foo.com
-rw-r--r-- 1 root root  335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root  318 Oct 15 11:57 dsset-foo.com.
-rw-r--r-- 1 root root 1311 Oct 15 11:57 output
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/c183c733/attachment-0001.bin>

More information about the bind-users mailing list