auto-dnssec sanity check (please)
Mark Andrews
marka at isc.org
Thu Oct 1 23:05:30 UTC 2015
In message <CAGfsgR18n0ZaX0nXo=B3+xtr17Zu+aC2y+L6UWQVQHpS5np1hw at mail.gmail.com>, Jim Popovitch writes:
> Hello,
>
> I recently rollled out auto-dnssec and inline-signing (v9.9.5), and
> today (1-Oct 00:00 UTC) was the first automatic zsk rollover.
> According to http://dnsviz.net/d/domainmail.org/dnssec/ it appears
> that the SOA is signed by the new zsk, but the rest of the RRs are
> still signed by the old. That concerns me. Is it as simple as
> cached responses?
Named re-signs RRsets as they fall due. The key(s) that will sign
the set is determined by whether it is active or not at that point
in time. Named does not re-sign the whole zone just because a key
became active. As long as both the new and old keys are in the
DNSKEY RRet until the last RRset is re-signed and the old signature
have timed out of caches everything will validate.
Named's primary job is to answer queries. It's secondary job is
to re-sign RRsets. Re-signing to early is just wasting computing
resources and takes named away from its primary role.
A key rollover should looks like this:
key1 PPPPP------------------------------------
key2 SSSSSSPPPPPPPPPPPPPPPPPPPPPPPPP----------
key3 -----PSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
key4 -------------------------------PSSSSSSSSS
sigs MMM222MMMMMMMMMMMMMMMMMMMMMMM333MMMMMMMMM
S = Signing and published
P = Publish only
- = does not exist in the zone
M = mixed signatures in the zone
2 = only keys2 signatures
3 = only keys3 signatures
> -Jim P.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list