SOA record not signed with new key at key-rollover
Mark Andrews
marka at isc.org
Sun Jul 17 04:06:07 UTC 2016
In message <5788C969.6070905 at enbewe.de>, Nis Wechselberg writes:
> Hi,
>
> I am curently testing a dnssec setup with the new dnssec-keymgr tool. I
> created a test zone with very fast key rollover setings and very short
> TTLs. (Configs below)
>
> The automated creation of keys seems to work fine but bind behaves other
> than I would have expected.
>
> - Initial deployment looks fine with the current ZSK published and in use.
> (http://dnsviz.net/d/testmichhartundwild.de/V4ep6A/dnssec/)
ZSK = 36141
> - At prepublication time the next key is published but not yet used (as
> expected.
> (http://dnsviz.net/d/testmichhartundwild.de/V4fV_A/dnssec/)
New ZSK is 10173
> - After rollover time the new key is used to sign the zone EXCEPT the
> SOA record. This one is still signed by the old key.
> (http://dnsviz.net/d/testmichhartundwild.de/V4fyNQ/dnssec/)
No. The new ZSK signs the SOA record. The old signatures still exist
on the other records as the only RRset that changes is the SOA.
> - When post-publication of the old key expires it is removed and the new
> key is used for all records.
> (http://dnsviz.net/d/testmichhartundwild.de/V4gSGg/dnssec/)
>
>
> I am confused becaus of the special treatment of the SOA record. I would
> expect a complete switch to the new key. At the moment, cached responses
> of the SOA record could not be verified in the timeframe between
> deletion of the old key and the next TTL.
>
> Am I missing something?
>
> Regards,
> Nis
>
> ----
>
>
> dnssec-keymgr policy:
>
> zone testmichhartundwild.de {
> algorithm RSASHA256;
> directory "/etc/bind/zones/keys";
> coverage 2d;
> keyttl 600;
> roll-period zsk 8h;
> post-publish zsk 2h;
> pre-publish zsk 2h;
> };
>
>
> bind zone config:
>
> zone "testmichhartundwild.de" IN {
> type master;
>
> file "de/testmichhartundwild.de/zone.db";
>
> // Allow zone transfers to trusted servers
> allow-transfer {
> myServers;
> localhost;
> };
>
> // Allow updates with shared key
> update-policy {
> grant morpheus-trinity. zonesub any;
> };
> serial-update-method unixtime;
>
> // Activate dnssec for this domain
> key-directory "keys";
> auto-dnssec maintain;
> };
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list