dnssec-policy is not signing anymore
Tom
lists at verreckte-cheib.ch
Mon Nov 29 08:36:24 UTC 2021
Hi
Using BIND-9.16.22:
After some tests with the new KASP feature, I'm running in a issue,
where BIND isn't signing the zone anymore.
In the old fashion way (auto-dnssec maintain;), I was able - under some
circumstances - to remove the ".signed" and ".signed.jnl" and
.jnl-files, restart BIND and everything was fine, the zone was signed
automatically with the existing keys.
In the special case now, I removed the ZSK key files and removed all
.signed and .signed.jnl and .jnl-files for a zone (like in the old way).
The KSK is still existing, a new ZSK is created through the "dnssec-policy":
## Newly created ZSK through dnssec-policy
$ cat Kexample.ch.+013+27534.state
; This is the state of key 27534, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 604800
KSK: no
ZSK: yes
Generated: 20211129062825 (Mon Nov 29 07:28:25 2021)
Published: 20211129062825 (Mon Nov 29 07:28:25 2021)
Active: 20211129062825 (Mon Nov 29 07:28:25 2021)
Retired: 20211206062825 (Mon Dec 6 07:28:25 2021)
Removed: 20211216073325 (Thu Dec 16 08:33:25 2021)
DNSKEYChange: 20211129062825 (Mon Nov 29 07:28:25 2021)
ZRRSIGChange: 20211129062825 (Mon Nov 29 07:28:25 2021)
DNSKEYState: rumoured
ZRRSIGState: hidden
GoalState: omnipresent
$ cat Kexample.ch.+013+27534.key
; This is a zone-signing key, keyid 27534, for example.ch.
; Created: 20211129062825 (Mon Nov 29 07:28:25 2021)
; Publish: 20211129062825 (Mon Nov 29 07:28:25 2021)
; Activate: 20211129062825 (Mon Nov 29 07:28:25 2021)
; Inactive: 20211206062825 (Mon Dec 6 07:28:25 2021)
; Delete: 20211216073325 (Thu Dec 16 08:33:25 2021)
example.ch. 3600 IN DNSKEY 256 3 13
3YU6kADe6IRhJ2rcmHOrPgH6tq/7PQQP7VpLBA70p/bPQFPRagdxuGdl
XrDg7tQ9WTr553BA5dUGqRBEYYQTUw==
## Already existing KSK
$ cat Kexample.ch.+013+61416.state
; This is the state of key 61416, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: no
Generated: 20211012145017 (Tue Oct 12 16:50:17 2021)
Published: 20211012145017 (Tue Oct 12 16:50:17 2021)
Active: 20211012145017 (Tue Oct 12 16:50:17 2021)
PublishCDS: 20211012145017 (Tue Oct 12 16:50:17 2021)
DNSKEYChange: 20211118133245 (Thu Nov 18 14:32:45 2021)
KRRSIGChange: 20211118133245 (Thu Nov 18 14:32:45 2021)
DSChange: 20211118133245 (Thu Nov 18 14:32:45 2021)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: omnipresent
$ cat Kexample.ch.+013+61416.key
; This is a key-signing key, keyid 61416, for example.ch.
; Created: 20211012145017 (Tue Oct 12 16:50:17 2021)
; Publish: 20211012145017 (Tue Oct 12 16:50:17 2021)
; Activate: 20211012145017 (Tue Oct 12 16:50:17 2021)
; SyncPublish: 20211012145017 (Tue Oct 12 16:50:17 2021)
example.ch. IN DNSKEY 257 3 13
bT4QClt+P9+t1+vF/Ulj7DSISBVMV86TktfNqheiUVGqfZ2hsEpYP140
flVurgV17M/nzujoMW0KgyTuP3p4Kw==
## BIND detects the already existing KSK, but logs a warning the the KSK
is missing or inactive.
29-Nov-2021 07:28:25.653 dnssec: info: keymgr: DNSKEY
example.ch/ECDSAP256SHA256/27534 (ZSK) created for policy thewaytogo-faster
29-Nov-2021 07:28:25.654 dnssec: info: Fetching
example.ch/ECDSAP256SHA256/61416 (KSK) from key repository.
29-Nov-2021 07:28:25.654 dnssec: info: DNSKEY
example.ch/ECDSAP256SHA256/61416 (KSK) is now published
29-Nov-2021 07:28:25.654 dnssec: info: DNSKEY
example.ch/ECDSAP256SHA256/61416 (KSK) is now active
29-Nov-2021 07:28:25.654 dnssec: info: Fetching
example.ch/ECDSAP256SHA256/27534 (ZSK) from key repository.
29-Nov-2021 07:28:25.654 dnssec: info: DNSKEY
example.ch/ECDSAP256SHA256/27534 (ZSK) is now published
29-Nov-2021 07:28:25.654 general: info: CDS for key
example.ch/ECDSAP256SHA256/61416 is now published
29-Nov-2021 07:28:25.654 general: info: CDNSKEY for key
example.ch/ECDSAP256SHA256/61416 is now published
29-Nov-2021 07:28:25.659 dnssec: info: zone example.ch/IN (signed): next
key event: 29-Nov-2021 09:33:25.641
29-Nov-2021 07:28:25.660 general: warning: zone example.ch/IN (signed):
Key example.ch/ECDSAP256SHA256/61416 missing or inactive and has no
replacement: retaining signatures.
## But the KSK (61416) is existing and seems signing
$ rndc dnssec -status example.ch
dnssec-policy: thewaytogo-faster
current time: Mon Nov 29 09:10:42 2021
key: 61416 (ECDSAP256SHA256), KSK
published: yes - since Tue Oct 12 16:50:17 2021
key signing: yes - since Tue Oct 12 16:50:17 2021
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- key rrsig: omnipresent
key: 27534 (ECDSAP256SHA256), ZSK
published: yes - since Mon Nov 29 07:28:25 2021
zone signing: no
Next rollover scheduled on Mon Dec 6 05:23:25 2021
- goal: omnipresent
- dnskey: rumoured
- zone rrsig: hidden
So, BIND detects the already existing KSK and ZSK, but is not able to
sign the dnskey-rrset with the KSK or some TXT-records with the ZSK.
## DNSKEY RR are existing, the RRSIG is missing
$ dig +short @127.0.0.1 +norec +dnssec dnskey example.ch
256 3 13 3YU6kADe6IRhJ2rcmHOrPgH6tq/7PQQP7VpLBA70p/bPQFPRagdxuGdl
XrDg7tQ9WTr553BA5dUGqRBEYYQTUw==
257 3 13 bT4QClt+P9+t1+vF/Ulj7DSISBVMV86TktfNqheiUVGqfZ2hsEpYP140
flVurgV17M/nzujoMW0KgyTuP3p4Kw==
The dnssec-policy looks like this:
dnssec-policy "thewaytogo-faster" {
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
dnskey-ttl 3600s;
publish-safety 1h;
retire-safety 1h;
purge-keys 30d;
keys {
ksk lifetime unlimited algorithm ecdsap256sha256;
zsk lifetime 7d algorithm ecdsap256sha256;
};
zone-propagation-delay 300s;
max-zone-ttl 86400s;
parent-propagation-delay 1h;
parent-ds-ttl 3600;
};
When running "rndc sign example.ch", then nothing happens -> I'm not
sure, if "rndc sign" is still possible with "dnssec-policy"...?
Any hints, how I can recover this state to a working signing-state
without recreating a new KSK?
I assume, that disabling DNSSEC completely and creating a new ZSK/KSK
will work, but in the case now, I already have the mentioned KSK (61416).
Thank you.
Kind regards,
Tom
More information about the bind-users
mailing list