Testing RFC 5011 key roll

Evan Hunt each at isc.org
Fri Apr 17 16:45:38 UTC 2015


On Fri, Apr 17, 2015 at 02:46:16PM +0000, Edward Lewis wrote:
> I am building named and unbound recursive servers to follow a test of RFC
> 5011 trust anchor updates, the experiment is documented at
> http://keyroll.systems.  One reason why I'm asking here is in
> http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
> which mentions some issues with RFC 5011 rolls in BIND.

I believe all of the issues Jan-Piet discovered have been fixed in
the latest versions.

> But I bet my problem is that I haven't included yet-another configuration
> statement.

A minor nit: You have both a bindkeys-file (which is loaded when you use
"dnssec-validation auto") and a managed-keys statement in your named.conf.
It's harmless, but there's no need to have both.  You can lose the bindkeys
file and set "dnssec-validation yes", or lose the managed-keys statement.

The key at keyroll.systems rolls every 90 minutes if I recall correctly,
so when you start the process you'll need to be sure you're using the
latest key; if you leave your file alone for a few hours it'll stop
working.  "dig @204.42.252.20 dnskey ." will show you the current key
set.

I tried your configuration, and after updating the key to the most recent
one, I am getting responses that validate.

By the way, if you want to ensure that named smoothly rolls over to the
next key, you'll need to adjust its timers.  RFC 5011 says that you can't
trust a new key until it's been in the DNSKEY rrset for at least a month.
To enable testing in a reasonable time, there's an undocumented
option to named that redefines time units for RFC 5011 purposes:

        $ named -T mkeytimers=2/5/60

The numbers between the slashes are the number of seconds to use for
an "hour", a "day", and a "month", respectively.  If you run with the
above option, named will trust a new key 60 seconds after it's seen it,
instead of waiting a full 30 days.  (This is, I hope obviously, *not*
something you want to run in production. :) )

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.


More information about the bind-users mailing list