DNSSEC and NSEC missing ZSK?
matthijs at isc.org
Mon Feb 8 14:24:12 UTC 2021
On 08-02-2021 12:20, @lbutlr wrote:
> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
> Verifying the zone using the following algorithms:
> - ECDSAP256SHA256
> Missing ZSK for algorithm ECDSAP256SHA256
> Missing NSEC record for blog.example.com
> Missing NSEC record for wiki.example.com
> Missing NSEC record for foobar.example.com
> Missing NSEC record for barfoo.example.com
> The zone is not fully signed for the following algorithms:
> DNSSEC completeness test failed.NSSEC completeness test failed.
> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.
Use dnssec-verify -z to indicate that the ZSK may be the same key as the
The missing NSEC records are more worrisome.
> The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default;
> ; This is the state of key 18434, for example.com.
> Algorithm: 13
> Length: 256
> Lifetime: 0
> KSK: yes
> ZSK: yes
> Generated: 20210202180145 (Tue Feb 2 11:01:45 2021)
> Published: 20210202180145 (Tue Feb 2 11:01:45 2021)
> Active: 20210202180145 (Tue Feb 2 11:01:45 2021)
> PublishCDS: 20210203190645 (Wed Feb 3 12:06:45 2021)
> DNSKEYChange: 20210202200645 (Tue Feb 2 13:06:45 2021)
> ZRRSIGChange: 20210203190645 (Wed Feb 3 12:06:45 2021)
> KRRSIGChange: 20210202200645 (Tue Feb 2 13:06:45 2021)
> DSChange: 20210203190645 (Wed Feb 3 12:06:45 2021)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: rumoured
> GoalState: omnipresent
> So the state file says the ZSK is yes, but dnssec-verify says no.
> I ran delv test and it looks as I expect based on he guide linked above.
> # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline
> ; fully validated
> example.com. 3600 IN SOA ns1.example.net. admin.example.net. (
> 2018022422 ; serial
> 300 ; refresh (5 minutes)
> 300 ; retry (5 minutes)
> 18000 ; expire (5 hours)
> 3600 ; minimum (1 hour)
> example.com. 3600 IN RRSIG SOA 13 2 3600 (
> 20210221095138 20210207085138 18434 example.com.
> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.
rndc sign zone
More information about the bind-users