KSK signing incomplete
Klaus Darilion
klaus.mailinglists at pernau.at
Tue May 20 16:34:41 UTC 2014
Hi!
Using Bind 9.9.5.
I have some questions about the private records which indicate the
signing status. From my external key management and monitoring tool I
query the private records to get the signing status, e.g. if the signing
after a rollover is finished, if a key can be deleted from disk, ...
But sometimes I see that the KSK signing is incomplete (last octet=0).
As you can see, the KSK (63963, 0xF9DB) is used to sign the DNSKEYs:
# dig @83.136.34.28 DNSKEY +dnssec tld-box.com +multi
tld-box.com. 60 IN DNSKEY 257 3 7 (
AwEAAa3+Y3K0FTZkaLZqsERhGAHKjHOnCTO+hQMsj8yQ
Sw+U/tmplyHTy5zEG6T26G8aGHbS8fnrCGs0EPXKkiWJ
jfw+xRgiqbTJmT7o8LTd1CIHO+J4GbKXRV95EjoUH/P9
qfJTbcqjwWblkzhEDuSNilec1pnJ0uEMcN+7z3p7VcC3
H8uFPT2A2PhQ5OPDoGRym4HPkn2zL+hzpSboUeWGoAHw
zowuc1/Dt2nKUNoUzDECDZusWDdws9SG+g6CAMSxshvJ
haM0GKO9LdlMqkUrP2wdS6bomTM4gTvk2HFFLuzY+ZpX
kFkJSx1xjDN4iJxcDtxCpz53jPYaz3ObfbKRzBc=
) ; KSK; alg = NSEC3RSASHA1; key id = 63963
tld-box.com. 60 IN DNSKEY 256 3 7 (
...
tld-box.com. 60 IN RRSIG DNSKEY 7 2 60 (
20140619162004 20140520152004 63963 tld-box.com.
Oywivr89OgqlJHeR6xOtzjTCsH90Jp4NivuC5W8jiGO4
aeWVZOZZhyZs/QkVifUCupjZ/uAlAyTNC1WNeKjej+4P
0A7a++p1U96CF0A1PIWblcNN7HbLv+0JGd6yddIHuNkF
ZseefyD2OzRMiKix+5u5xH1NavaOt8ggBPUSlpp/YOdL
UFIhoFwkCbAp4a7WYhMZZj+6gCk9RZAZXHo1EuFPtwt4
xd/tl4EK6i37yNxnimS1/KsHx6Gip0yQW0Qt6fOJsk79
laOmLm/xozgwH1CqNq4hjypoPib07m0Aot+7LKP5Svcy
+MfG7BLeNVfRqWPI3+ztWVjXZvp/Rlpdzg== )
But the private records indicate:
# dig @83.136.34.28 TYPE65534 tld-box.com
tld-box.com. 0 IN TYPE65534 \# 5 071D960001
tld-box.com. 0 IN TYPE65534 \# 5 07F9DB0000
tld-box.com. 0 IN TYPE65534 \# 5 07213E0001
As the first octet is not 0, the last octet should indicate the signing
status: !=0 means "completed", which is not the case: 5 07F9DB0000
Same with rndc:
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1
What else should the KSK sign?
Also forcing resign does not change anything:
# rndc sign tld-box.com
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1
So, why is the signing not finished? I would like to force Bind to
finish the signing so that my monitoring can reliable check the private
records.
Further, I see that sometimes there are no private records at all. When
does this happen? (I never called "rndc signing -clear") How can I force
Bind to always show the private records?
Thanks
Klaus
More information about the bind-users
mailing list