DNSSEC rolloever fails

bobjunk bobjunk at treborlogic.com
Tue Dec 27 16:19:02 UTC 2016


I have been fighting with my automatic DNSSEC ZSK rollover recipe for 
the last year and keep having issues with it.

My existing keys are set to become inactive on Jan 1 2017, and to be 
deleted Feb 1 2017.
The replacement keys are set to publish on Dec 2 2016 and become active 
on Jan 1 2017.

The replacement keys published as expected and haven't been used for 
signing yet as expected.

I woke up last Friday Dec 23rd to find my zones failing validation. When 
I investigated I found the existing signatures expired on the 22nd and 
bind never resigned the records with the existing, currently still 
active keys.

It seemed to behave as though if the period the records would have been 
valid extended past the inactive date for the key, it simply refused to 
resign them.

My understanding is the inactive date sets the time that bind will no 
longer use the key to sign records but that the key would still be 
published and validators would consider records signed with the key as 
valid. My expectation was that bind would use the currently active key 
to sign records as needed up until the inactive timer is met.

The existing key timers:

; Created: 20160528120657 (Sat May 28 12:06:57 2016)
; Publish: 20160601000000 (Wed Jun  1 00:00:00 2016)
; Activate: 20160701000000 (Fri Jul  1 00:00:00 2016)
; Inactive: 20170101000000 (Sun Jan  1 00:00:00 2017)
; Delete: 20170201000000 (Wed Feb  1 00:00:00 2017)

The replacement key timers

; Created: 20161116164407 (Wed Nov 16 16:44:07 2016)
; Publish: 20161202000000 (Fri Dec  2 00:00:00 2016)
; Activate: 20170101000000 (Sun Jan  1 00:00:00 2017)

I ended up having to shut down bind and delete the .signed file and it's 
journal for each zone, then start bind back up again to get it to sign 
the zone so I could get back online. Any commands via rndc to resign the 
zone were ignored.

Obviously this behavior isn't tolerable. I assume I have something set 
incorrectly but I can't find what it is. This issue also occurred at the 
last roll over. Once I deleted the signed files and restarted the server 
to get it to sign the zones again, the rollover occurred as expected. It 
just seems to not want to sign the records for that one last time before 
the inactive time is reached and will only do so if I completely nuke 
all the existing signatures.

# named -v
BIND 9.10.4-P4

Anyone have any ideas?


More information about the bind-users mailing list