dnssec KSK rollover

project722 project722 at gmail.com
Wed Aug 22 20:26:01 UTC 2018


Hey guys,

We received an email today about one of our recursive DNS servers that did
not support the new KSK for DNSSEC.

################################
On 11 October 2018, ICANN will change or "roll over" the DNSSEC key
signing key (KSK) of the DNS root zone. Based on information from your
network received at the DNS root name servers [1], we believe that
there may be at least one recursive resolver (also referred to as a
recursive name server or caching name server) with DNSSEC validation
enabled in AS11272 that is unprepared for the KSK rollover. If that
resolver is not updated before 11 October 2018, users of that resolver
will not be able to resolve any DNS queries, resulting in an outage
for them.
#################################

So, I followed the instructions here:

https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

In my named.conf I changed:

dnssec-validation yes;

to

dnssec-validation auto;

I then moved my bind.keys file (which does have the latest keys) into the
named working directory. Chown'd it so that named could have group
ownership and could write to it. I then restarted named. I started seeing
these in the logs:



*dnssec: info: validating x.com <http://x.com>: no valid signature found*


*So I tried a different approach:*






*I moved the "managed keys" section into my named.conf file. managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; .
initial-key 257 3 8
"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};Restarted bind and still started seeing validation errors in the logs. *

*Can someone tell me what I am doing wrong?*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180822/d1d4e6c7/attachment-0001.html>


More information about the bind-users mailing list