dnssec KSK rollover

project722 project722 at gmail.com
Thu Aug 23 12:20:01 UTC 2018

Hi Tony,

I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two

1) I am still seeing the "no valid signature found" messages in my
bind.log. However, **I don't think* * this is a problem because when I
query a hostname against my server that produces one of these errors, it
still resolves. for instance,

# root at fccore 07:01:07 0 jobs ~ > delv @x.x.x.x ncentral.teklinks.com A
+multiline +rtrace
;; fetch: ncentral.teklinks.com/A
;; fetch: teklinks.com/DNSKEY
;; fetch: teklinks.com/DS
;; fetch: com/DNSKEY
;; fetch: com/DS
;; fetch: ./DNSKEY
;; fetch: teklinks.com.dlv.isc.org/DLV
;; fetch: dlv.isc.org/DNSKEY
;; validating ncentral.teklinks.com/A: no valid signature found
; unsigned answer
ncentral.teklinks.com.    2482 IN    A
ncentral.teklinks.com.    2482 IN    RRSIG A 5 3 43200 (
                20180915012340 20180816012340 46266 teklinks.com.
                sg4y1gokR+HXkeTKHr8RWayElh8gu5QKoQ== )

So, I can see here that it still resolves BUT something fails to validate a
signature. Where is the breakdown here? It was able to fetch the DHSKEY for

;; fetch: teklinks.com/DNSKEY

but not ncentral.teklinks.com:

;; validating ncentral.teklinks.com/A: no valid signature found

Shouldn't this validate? I mean, if teklinks.com can validate, shouldn't
the stub "ncentral" as well, since its in the zonefile? What am I missing

2) There is one other scenario that confuses me. When I test against a URL
that's purposely setup to fail dnssec, I get a servfail.

root at fccore 07:14:57 0 jobs ~ > delv @x.x.x.x www.dnssec-failed.org A
+multiline +rtrace
;; fetch: www.dnssec-failed.org/A
;; resolution failed: SERVFAIL

So, what's the difference here and with the scenario above in #1? My
concern is that our customers will get servfails when they try to access
sites like this one.

On Thu, Aug 23, 2018 at 6:33 AM Tony Finch <dot at dotat.at> wrote:

> project722 <project722 at gmail.com> wrote:
> >
> > In my named.conf I changed:
> >
> > dnssec-validation yes;
> >
> > to
> >
> > dnssec-validation auto;
> Good :-)
> Next thing to do is delete all trace of managed-keys or mkeys files or
> trusted-keys configuration, then restart `named`. It will automatically
> create managed-keys files with the correct contents - it has the current
> root KSKs built in, so you don't need the bind.keys file.
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> South Fitzroy: Northerly or northeasterly 5 or 6. Slight or moderate.
> Occasional drizzle. Good, occasionally poor at first.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180823/661090ce/attachment.html>

More information about the bind-users mailing list