KSK signing zone records

Timothy A. Holtzen tah at NebrWesleyan.edu
Thu Sep 2 17:26:37 UTC 2021


Okay, so if I'm interpreting this correctly.  When the new alg 14 KSKs
were created and then the zone was signed (either automatically or via a
command) there was probably only a valid alg 8 ZSK available.  As a
result bind used the alg 14 KSK as a defacto CSK and singed the zone
RRSets directly.  This would make sense given the nature of the issue I
had with my key rotation process.  However now I have both valid alg 8
and alg 14 ZSK available.  Is there a way to go back and get bind to
re-evaluate the zone to recognize the valid ZSK records and sign them only?

Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University
Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7

On 8/31/21 18:07, Mark Andrews wrote:
> Named will continually re-sign parts of the zone as the RRSIGs for a RRset fall due
> for replacement.  Named looks at which keys are in the active state to determine along
> with the afore mentioned controls to work out which DNSKEYs will be used to re-sign the
> RRset.  If in the past you only had one key type and you now have two, different keys
> may be used to re-sign the RRset.  If you changed policy in named.conf, the new policy
> will be implemented as the RRSIGs are re-generated.
>
> It looks like you told named to re-sign the zone when there was only one type of DNSKEY
> key record (or you where unlucky enough for named to check the available keys whiles there
> was only one active key present) resulting in named overriding the policy in named.conf.
>
> Mark
>
>> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users <bind-users at lists.isc.org> wrote:
>>
>> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384.  I
>> have one RSA KSK and one RSA ZSK.  In addition I have two ECDSA KSK and
>> two ECDSA ZSK.   The RSA KSK seems perfectly happy to sign the ECDSA
>> ZSKs.  And both the RSA and ECDSA ZSKs seem to be singing records
>> correctly.  It just seems to be the two newer ECDSA KSKs that instead of
>> signing the ZSKs are singing the domain records directly. 
>>
>> Even more perplexing is that one of the domains seems to have fixed
>> itself.  Now all the KSKs for that domain are singing the ZSKs and the
>> ZSKs are signing the domain records.  But I've still got a couple of
>> other domains where it is doing it wrong.  Is there some kind of timeout
>> or maintenance that gets run automatically that might have fixed the
>> issue?  I've tried running an "rndc sign" command on the domains several
>> times.
>>
>> Timothy A. Holtzen
>> Campus Network Administrator
>> Nebraska Wesleyan University
>> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
>> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7
>>
>> On 8/30/21 17:40, raf via bind-users wrote:
>>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>>>
>>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>>>> same algorithm, then both will be used to sign the entire zone.
>>>>
>>>> Regards,
>>>> Chris Buxton
>>> Just out of curiosity, why is that?
>>> Isn't having the KSK sign the ZSK enough?
>>> What difference does the nature of the thing
>>> being signed make?
>>>
>>> cheers,
>>> raf
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210902/6f554aa5/attachment-0001.bin>


More information about the bind-users mailing list