DNSSec KSK problem

Mark Andrews marka at isc.org
Wed Aug 5 04:15:48 UTC 2015 

In message <mpnvch$du9$1 at news.albasani.net>, Heiko Richter writes:
> Hi!
> 
> I'm hoping someone here can help me with a problem in my DNSSec
> configuration.
> 
> I'm running Bind 9 in Debian Jessie and just finished configuring it
> with DNSSec for my zones. Everything including automatic key rollover
> for the ZSKs is working, except for a slight anomaly with my KSKs:
> 
> For some reason the KSK isn't only used to sign the ZSKs, but also to
> sign the zone. My server obviously signs the "normal" records with the
> ZSK and the KSK as you can see on this diagnostic site:
> http://dnsviz.net/d/heikorichter.org/dnssec/
> 
> Strangely for the TLD and the root zone the same flags are set on their
> keys (257 for KSK and 256 for ZSK) and their servers seem to do it
> right. Their KSKs are only signing the ZSK and their ZSKs are used to
> sign the zone.
> 
> How can I force Bind to that same behaviour?
> 
> Here is my Options-Clause:
> options {
>         allow-query {
>                 any;
>         };
>         allow-recursion {
>                 loopback;
>                 v1;
>                 v2;
>         };
>         auth-nxdomain no;
>         directory "/var/cache/bind";
>         disable-empty-zone yes;
>         dnssec-enable yes;
>         dnssec-validation yes;
>         edns-udp-size 1460;
>         empty-zones-enable no;
>         forwarders { };
>         hostname "v1.heikorichter.org";
>         ixfr-from-differences no;
>         listen-on {
>                 any;
>         };
>         listen-on-v6 {
>                 any;
>         };
>         max-refresh-time 7200;
>         max-retry-time 1800;
>         max-udp-size 1460;
>         min-refresh-time 900;
>         min-retry-time 600;
>         minimal-responses no;
>         notify yes;
>         preferred-glue AAAA;
>         provide-ixfr no;
>         random-device "/dev/urandom";
>         recursion yes;
>         request-ixfr no;
>         rrset-order {
>                 order random;
>         };
>         server-id "v1.heikorichter.org";
>         sig-validity-interval 2400;
>         statistics-file "/etc/bind/stats";
>         transfer-format one-answer;
>         version "Get Lost Pal";
>         zone-statistics yes;
> };
> 
> Command used to generate the KSK:
> dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \
>   -P now -A +100 -R none -I none -D none \
>   -K /etc/bind/dyn/heikorichter.org heikorichter.org
> 
> Command used to generate the ZSK:
> dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \
>   -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \
>   -K /etc/bind/dyn/heikorichter.org heikorichter.org

Well you are using 2 algorithms (ECDSAP256SHA256 and ECDSAP384SHA384)
and you only have a single key per algorithm so named signs all the
RRsets in the zone with both keys.

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list