DNSSEC ZSK key rollover, why is my zone double signed?

Robert Senger robert.senger at lists.microscopium.de
Sat Sep 5 09:53:39 UTC 2015 

Hi all,

I am having trouble with the DNSSEC ZSK rollover for one of my zones.
Key rollover for all zones was scheduled at Thursday September 3,
22:00:00 CEST. While everything worked well for most zones, one zone
became double signed. Below I've pasted public keys for one good and for
the double signed zone, and links to dnsviz.net that show what has
happened.


Good zone:

root at prokyon:/etc/bind# cat Kfamilie-senger.net.+008+07938.key 
; This is a zone-signing key, keyid 7938, for familie-senger.net.
; Created: 20150827010022 (Thu Aug 27 03:00:22 2015)
; Publish: 20150827180000 (Thu Aug 27 20:00:00 2015)
; Activate: 20150827200000 (Thu Aug 27 22:00:00 2015)
; Inactive: 20150903200000 (Thu Sep  3 22:00:00 2015)
; Delete: 20150910200000 (Thu Sep 10 22:00:00 2015)
familie-senger.net. IN DNSKEY 256 3 8 AwEAAeANWhUDx4ERwloTfLcfvMfnQzkNUHmr36Nh94RiunIpL3+NNnx/ 3NFBwcJ+OLvGwuK4ThV25oBeajGzrnaYdRN8y1hGV8fwdp0F9eGDJw0C Xddef7YyMtw5ZWG6iPzsHNfaJqsPeyQXtjwMMfqg2KFi2sxhjmzvmUVF 9qgjArTnCMX2A7ti79Sqcjhkim/Roizj92B8iw9RYix/GIUXvezSzZ7l 1IBh+EA42UGgGbbWRqBZ3zgX7B0O5DrWflcyT4pAQz//h/T2FPhzvn5G BlksjSKIqdHPK+PcxbvvjNpiZ5liQlZdV513dxN30AdF64WyNI10DDK8 fVOyaAf9Zxc=
root at prokyon:/etc/bind# cat Kfamilie-senger.net.+008+00885.key 
; This is a zone-signing key, keyid 885, for familie-senger.net.
; Created: 20150903110815 (Thu Sep  3 13:08:15 2015)
; Publish: 20150903180000 (Thu Sep  3 20:00:00 2015)
; Activate: 20150903200000 (Thu Sep  3 22:00:00 2015)
; Inactive: 20150910200000 (Thu Sep 10 22:00:00 2015)
; Delete: 20150917200000 (Thu Sep 17 22:00:00 2015)
familie-senger.net. IN DNSKEY 256 3 8 AwEAAfAthkzFH24mynoF2FYzf/ezaVpl1h/3JQJyRHUkQTbY6EszhM8d dgisbgkXjcd47HcPQMb2cAddQfLUQpcwNpgV6ugvYG7obmPQ4VrQHT5l S5S7rUTz2o7S6Af9se0aszxFI9322NAInU4B2tHBj9WiWP/vSLec48i4 79f5j3kXNZB2uGQV757mc20d9G2xTiP8xmDW2ywvnM8mXFPfCAnCYx0j LsmzCG4BSVtWrT9gQJIvbeM7ODHZgUAEAhfHhtcYQpD58miTkUFD8nDp /iAu3FTq9AlyoJmAqD4HhYNZsSWdzUCJBxsl7+xi+Ts12yXLeRKk3NKd gVqr7IUcmSE=

See dnsviz: http://dnsviz.net/d/familie-senger.net/dnssec/



Double signed zone:

root at prokyon:/etc/bind# cat Kmicroscopium.de.+008+18903.key 
; This is a zone-signing key, keyid 18903, for microscopium.de.
; Created: 20150827010002 (Thu Aug 27 03:00:02 2015)
; Publish: 20150827180000 (Thu Aug 27 20:00:00 2015)
; Activate: 20150827200000 (Thu Aug 27 22:00:00 2015)
; Inactive: 20150903200000 (Thu Sep  3 22:00:00 2015)
; Delete: 20150910200000 (Thu Sep 10 22:00:00 2015)
microscopium.de. IN DNSKEY 256 3 8 AwEAAcH+5fi77XDBXYagvneBQNiPGGrohgXXf5t0DY1+rt6GUzBkEIle QdonDdjWmyHoANUZ/VStOgpZJFGQrp3LxtgtvZZbFq9EfQ4waMWQWY36 pxhDyac1X72dm3Eb+378GnR8SeIT+/NJDOEr9+yWrOd/FEM7le3JJyV5 qQrgP70R9QsMHRbttOJxd0qAHWod/vrY3uegx54i3REVpZwtxS3nhuUl kqxMbILTFiDV6LpI4bAasTc7Es08vs2op0fy/wT36x0ma2SttgWDOL+e jLqgWF5qiMYqrXScggPOTTaMiW0rPBKntpqkifl0G56IOOKAkVzqk4ME C3Ve3tBcY0M=
root at prokyon:/etc/bind# cat Kmicroscopium.de.+008+03234.key 
; This is a zone-signing key, keyid 3234, for microscopium.de.
; Created: 20150903110745 (Thu Sep  3 13:07:45 2015)
; Publish: 20150903180000 (Thu Sep  3 20:00:00 2015)
; Activate: 20150903200000 (Thu Sep  3 22:00:00 2015)
; Inactive: 20150910200000 (Thu Sep 10 22:00:00 2015)
; Delete: 20150917200000 (Thu Sep 17 22:00:00 2015)
microscopium.de. IN DNSKEY 256 3 8 AwEAAdT8E9n/mCorGHF4u4GBJnQ+4QzRDXQlhZjCLhRCxNAVWKaaLBYJ Vzx0uvtc8/W7+wX/Sax/S5EK1ym/74tzXH7q323t8gLEt78ZERHF5zEU DAvGEa+/Evf/h1M72FLOFjVpAhHfSc3JKfUYi8hrws7kZ4twMsEIepso dSMfa9N7WpQPkfjIAaY/kSxVcapCvKzmleiSU1Q2hRvduOwfTjE90xxg OfGzA7C+sCIT09pqtemluzYdOs1NaONrkaUD3ad+InqAne/a8xhnjZfD Nz57oxaYsffgiMahUVNTzMZukLbn30soRatdGEgEFmYvpSrrgDX3ceu3 3sNSzDhwIKE=

See dnsviz: http://dnsviz.net/d/microscopium.de/dnssec/


For both zones, the old key (top) became inactive on Sep 3 22:00:00, and
the new key (bottom) took over. After a few days, all (at least those
checked y dnssviz.net) RRs were signed by the new key, with the old
signature removed. But in the zone that became double signed, the old
key's signatures for the RRs weren't removed. Why? 

Everything is configured identically for both zones, an I can't see any
reason why one zone became double signed. I've never triggered manual
signing for any zone.

Any hints what might have happened here? If you need more information,
let me know (the logs only show not very helpful information).

Cheers, 

Robert


-- 
Robert Senger

More information about the bind-users mailing list