DNSSec KSK problem

Heiko Richter email at heikorichter.name
Mon Aug 3 14:55:12 UTC 2015


Hi!

I'm hoping someone here can help me with a problem in my DNSSec
configuration.

I'm running Bind 9 in Debian Jessie and just finished configuring it
with DNSSec for my zones. Everything including automatic key rollover
for the ZSKs is working, except for a slight anomaly with my KSKs:

For some reason the KSK isn't only used to sign the ZSKs, but also to
sign the zone. My server obviously signs the "normal" records with the
ZSK and the KSK as you can see on this diagnostic site:
http://dnsviz.net/d/heikorichter.org/dnssec/

Strangely for the TLD and the root zone the same flags are set on their
keys (257 for KSK and 256 for ZSK) and their servers seem to do it
right. Their KSKs are only signing the ZSK and their ZSKs are used to
sign the zone.

How can I force Bind to that same behaviour?

Here is my Options-Clause:
options {
        allow-query {
                any;
        };
        allow-recursion {
                loopback;
                v1;
                v2;
        };
        auth-nxdomain no;
        directory "/var/cache/bind";
        disable-empty-zone yes;
        dnssec-enable yes;
        dnssec-validation yes;
        edns-udp-size 1460;
        empty-zones-enable no;
        forwarders { };
        hostname "v1.heikorichter.org";
        ixfr-from-differences no;
        listen-on {
                any;
        };
        listen-on-v6 {
                any;
        };
        max-refresh-time 7200;
        max-retry-time 1800;
        max-udp-size 1460;
        min-refresh-time 900;
        min-retry-time 600;
        minimal-responses no;
        notify yes;
        preferred-glue AAAA;
        provide-ixfr no;
        random-device "/dev/urandom";
        recursion yes;
        request-ixfr no;
        rrset-order {
                order random;
        };
        server-id "v1.heikorichter.org";
        sig-validity-interval 2400;
        statistics-file "/etc/bind/stats";
        transfer-format one-answer;
        version "Get Lost Pal";
        zone-statistics yes;
};

Command used to generate the KSK:
dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \
  -P now -A +100 -R none -I none -D none \
  -K /etc/bind/dyn/heikorichter.org heikorichter.org

Command used to generate the ZSK:
dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \
  -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \
  -K /etc/bind/dyn/heikorichter.org heikorichter.org


More information about the bind-users mailing list