KSK signing incomplete

Klaus Darilion klaus.mailinglists at pernau.at
Tue May 20 16:34:41 UTC 2014


Hi!

Using Bind 9.9.5.

I have some questions about the private records which indicate the
signing status. From my external key management and monitoring tool I
query the private records to get the signing status, e.g. if the signing
after a rollover is finished, if a key can be deleted from disk, ...

But sometimes I see that the KSK signing is incomplete (last octet=0).

As you can see, the KSK (63963, 0xF9DB) is used to sign the DNSKEYs:

# dig @83.136.34.28 DNSKEY +dnssec tld-box.com +multi
tld-box.com.            60 IN DNSKEY 257 3 7 (
			AwEAAa3+Y3K0FTZkaLZqsERhGAHKjHOnCTO+hQMsj8yQ
			Sw+U/tmplyHTy5zEG6T26G8aGHbS8fnrCGs0EPXKkiWJ
			jfw+xRgiqbTJmT7o8LTd1CIHO+J4GbKXRV95EjoUH/P9
			qfJTbcqjwWblkzhEDuSNilec1pnJ0uEMcN+7z3p7VcC3
			H8uFPT2A2PhQ5OPDoGRym4HPkn2zL+hzpSboUeWGoAHw
			zowuc1/Dt2nKUNoUzDECDZusWDdws9SG+g6CAMSxshvJ
			haM0GKO9LdlMqkUrP2wdS6bomTM4gTvk2HFFLuzY+ZpX
			kFkJSx1xjDN4iJxcDtxCpz53jPYaz3ObfbKRzBc=
			) ; KSK; alg = NSEC3RSASHA1; key id = 63963
tld-box.com.            60 IN DNSKEY 256 3 7 (
...
tld-box.com.            60 IN RRSIG DNSKEY 7 2 60 (
			20140619162004 20140520152004 63963 tld-box.com.
			Oywivr89OgqlJHeR6xOtzjTCsH90Jp4NivuC5W8jiGO4
			aeWVZOZZhyZs/QkVifUCupjZ/uAlAyTNC1WNeKjej+4P
			0A7a++p1U96CF0A1PIWblcNN7HbLv+0JGd6yddIHuNkF
			ZseefyD2OzRMiKix+5u5xH1NavaOt8ggBPUSlpp/YOdL
			UFIhoFwkCbAp4a7WYhMZZj+6gCk9RZAZXHo1EuFPtwt4
			xd/tl4EK6i37yNxnimS1/KsHx6Gip0yQW0Qt6fOJsk79
			laOmLm/xozgwH1CqNq4hjypoPib07m0Aot+7LKP5Svcy
			+MfG7BLeNVfRqWPI3+ztWVjXZvp/Rlpdzg== )

But the private records indicate:
# dig @83.136.34.28 TYPE65534 tld-box.com
tld-box.com.            0       IN      TYPE65534 \# 5 071D960001
tld-box.com.            0       IN      TYPE65534 \# 5 07F9DB0000
tld-box.com.            0       IN      TYPE65534 \# 5 07213E0001

As the first octet is not 0, the last octet should indicate the signing
status: !=0 means "completed", which is not the case: 5 07F9DB0000

Same with rndc:
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1


What else should the KSK sign?

Also forcing resign does not change anything:

# rndc sign tld-box.com
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1


So, why is the signing not finished? I would like to force Bind to
finish the signing so that my monitoring can reliable check the private
records.



Further, I see that sometimes there are no private records at all. When
does this happen? (I never called "rndc signing -clear") How can I force
Bind to always show the private records?

Thanks
Klaus





More information about the bind-users mailing list