key signing

[Mark Andrews]

Firstly don’t blindly add DS records without first checking that the DNSKEYs
they refer to are published.  DNSSEC is less tolerant of operator error and
sometimes things go wrong.  There are lots of “wait until …” in managing DNSSEC
and if you don’t wait DNSSEC validations will fail as a result as you have seen.

I see the following which indicates to me that 9675 is published but not active
and 28998 is published and active.

[beetle:~/git/bind9] marka% dig dnskey cascocom.com @ns1.peak.org +dnssec +rrcom

; <<>> DiG 9.15.4 <<>> dnskey cascocom.com @ns1.peak.org +dnssec +rrcom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20347
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cascocom.com.			IN	DNSKEY

;; ANSWER SECTION:
cascocom.com.		3600	IN	DNSKEY	256 3 5 AwEAAcA0mHBs2j1IuElgHpUUdGcBhWumR/0bjiWT4BRuuikP3TPsPh5T Ti3ps/0f7uwMG02tai69+LRycq8vrPDCB92FvwHw8ACVPxdJ6ZRVCKKp 7peayPXJ0hlWurdAQXbX6WXU74a5hLYZ+2/rN+3BPyvImxO2o4RM5ay4 JlU59n5v  ; ZSK; alg = RSASHA1 ; key id = 9675
cascocom.com.		3600	IN	DNSKEY	256 3 8 AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ; ZSK; alg = RSASHA256 ; key id = 28998
cascocom.com.		3600	IN	RRSIG	DNSKEY 8 2 3600 20200409011715 20200310001715 28998 cascocom.com. R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1 bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=

;; Query time: 509 msec
;; SERVER: 207.55.16.51#53(207.55.16.51)
;; WHEN: Wed Mar 11 09:50:14 AEDT 2020
;; MSG SIZE  rcvd: 509

[beetle:~/git/bind9] marka% 

and with the following DS records there isn’t secure path.

cascocom.com.		85427	IN	DS	9675 5 2 EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234
cascocom.com.		85427	IN	DS	30841 8 2 E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C

now I don’t know exactly what you did but detected error will have been logged.

Mark

> On 11 Mar 2020, at 09:39, Alan Batie <alan at peak.org> wrote:
> 
> I've got a test domain that I thought I had all working, but noticed the
> key signing key was missing, so I generated one and did an rndc loadkeys
> to get things updated, then generated a ds record for it and uploaded
> that to the registrar, however, it still shows broken, and when I look,
> I see that the zone signing key 28998 is self-signed, rather than being
> signed by the zsk 30841?  Am I misunderstanding something here?
> 
> keys/Kcascocom.com.+008+28998.key:; This is a zone-signing key, keyid
> 28998, for cascocom.com.
> keys/Kcascocom.com.+008+30841.key:; This is a key-signing key, keyid
> 30841, for cascocom.com.
> 
> ;; ANSWER SECTION:
> cascocom.com.		3600	IN	DNSKEY	256 3 8
> AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI
> W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV
> V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ;
> ZSK; alg = RSASHA256 ; key id = 28998
> cascocom.com.		3600	IN	RRSIG	DNSKEY 8 2 3600 20200409011715
> 20200310001715 28998 cascocom.com.
> R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1
> bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ
> VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org