dnssec-signzone, dsset files and deleted KSK's

John Marshall john.marshall at riverwillow.com.au
Fri Aug 3 11:04:18 UTC 2012

On 03/08/2012 18:00, John Marshall wrote:
> On 03/08/2012 09:28, John Marshall wrote:
>> The behaviour of the dsset file generation appears to be unaffected by
>> the smart signing switch (-S). The generated dsset file includes all
>> KSK's found in the key repository (-K) irrespective of any timing
>> metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted
>> keys may remain in the key repository but the only way to exclude
>> deleted KSK's from the dsset file seems to be to remove them from the
>> key repository directory.
> I have upgraded to BIND 9.9.1-P2 and see the same behaviour there as
> well. Unless I am missing something obvious, it seems that the only way
> to avoid having "dnssec-signzone -g" for a parent zone pick up stale DS
> records from dsset files generated by "dnssec-signzone -S" for the child
> zones is to remove deleted KSK's from the (-K) key repository directory
> prior to signing the child zones.

Also the NSEC3 signing option warns about missing DNSKEYs in the zone
before smart signing has had a chance to put them in. It's only a
warning message and everything works but it seems that there are a
couple of bits of dnssec-signzone that haven't caught up with smart signing.

# dnssec-signzone          \
	-d /path/to/dssets \
	-g                 \
	-K /path/to/keys   \
 	-S                 \
	-3 53414954        \
	-o riverwillow.com.au. riverwillow.com.au
dnssec-signzone: warning: NSEC3 generation requested with no DNSKEY;
Fetching ZSK 4161/RSASHA256 from key repository.
Fetching KSK 6055/RSASHA256 from key repository.
Fetching KSK 59433/NSEC3RSASHA1 from key repository.
Fetching ZSK 15482/NSEC3RSASHA1 from key repository.
Verifying the zone using the following algorithms: NSEC3RSASHA1 RSASHA256.
Zone signing complete:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked

John Marshall

More information about the bind-users mailing list