Cannot import keys into dnssec-policy

Bagas Sanjaya bagasdotme at gmail.com
Tue Apr 8 10:43:27 UTC 2025 

On Mon, Apr 07, 2025 at 09:28:07AM -0500, Matthijs Mekking wrote:
> Hi,
> 
> I have tried to reproduce but when I am issuing a rollover it selects the
> key I generate previously, as expected.
> 
> If you believe this is a genuine bug, please support a bug report:
> 
> https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Default
> 
> and fill in the steps how to reproduce the issue.
> 
> Any logs (preferably debug level 3) would then also be greatly appreciated.
> 
> Thanks, best regards,
> 
> Matthijs
> 
> 
> 
> On 3/26/25 14:51, Nguyen Thi Minh Tam via bind-users wrote:
> > "Hi, I'm trying version 9.18.31.
> > 
> > According to the post on
> > https://kb.isc.org/docs/dnssec-key-and-signing-policy
> > <https://kb.isc.org/docs/dnssec-key-and-signing-policy>, the policy
> > normally generates keys when they are needed. However, we can generate
> > the DNSSEC keys ourselves first, and when the policy requires a new key,
> > it will select the one we created.
> > 
> > There is even an example in that post.
> > 
> > So, I followed that approach. I generated a new key that matches the
> > policy and placed it in the key directory. However, when it was time to
> > roll the key, my key was retired, and the policy generated a new one
> > instead.
> > 
> > Here is my policy:"
> > 
> > 
> > dnssec-policy "hosting key" {
> >          dnskey-ttl PT1M;
> >          keys{
> >                  ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
> >                  zsk key-directory lifetime P30D algorithm RSASHA256 2048;
> >          };
> > 
> > And i run this command to generate the next key:
> > 
> > dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
> > i even tried
> > dnssec-keygen -k "hosting key" -l /etc/named.conf -K
> > /data/keys/policy.com/ policy.com

Hi Matthijs, Hi Nguyen,

I can reproduce the bug, using Nguyen's dnssec-policy.

Before the rollover, I pregenerate the explicit successor ZSK by:

```
$ cd /var/named
# dnssec-keygen -a rsasha256 -b 2048 -f zsk test.net
# chown named:named Ktest.net.+008+07213*
```

``rndc dnssec -status test.net`` shows that the successor key (07213) isn't
recognized:

```
dnssec-policy: test
current time:  Tue Apr  8 10:25:50 2025

key: 36679 (RSASHA256), KSK
  published:      yes - since Tue Apr  8 10:14:10 2025
  key signing:    yes - since Tue Apr  8 10:14:10 2025

  Next rollover scheduled on Wed Apr  8 08:09:10 2026
  - goal:           omnipresent
  - dnskey:         rumoured
  - ds:             rumoured
  - key rrsig:      rumoured

key: 50448 (RSASHA256), ZSK
  published:      yes - since Tue Apr  8 10:14:10 2025
  zone signing:   yes - since Tue Apr  8 10:14:10 2025

  Next rollover scheduled on Fri May  9 08:09:10 2025
  - goal:           omnipresent
  - dnskey:         rumoured
  - zone rrsig:     rumoured

key: 7213 (RSASHA256), UNKNOWN
  published:      no

  No rollover scheduled
```

I trigger the rollover by ``rndc dnssec rollover -key 50448 -when 20250408103000`` and the dnssec status shows that a new ZSK key is introduced instead:

```
dnssec-policy: test
current time:  Tue Apr  8 10:30:37 2025

key: 36679 (RSASHA256), KSK
  published:      yes - since Tue Apr  8 10:14:10 2025
  key signing:    yes - since Tue Apr  8 10:14:10 2025

  Next rollover scheduled on Wed Apr  8 08:09:10 2026
  - goal:           omnipresent
  - dnskey:         rumoured
  - ds:             rumoured
  - key rrsig:      rumoured

key: 50448 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         unretentive
  - zone rrsig:     unretentive

key: 7213 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         unretentive
  - zone rrsig:     unretentive

key: 19861 (RSASHA256), ZSK
  published:      yes - since Tue Apr  8 10:30:00 2025
  zone signing:   yes - since Tue Apr  8 12:35:00 2025

  Next rollover scheduled on Fri May  9 10:30:00 2025
  - goal:           omnipresent
  - dnskey:         rumoured
  - zone rrsig:     rumoured
```

The log from systemd journal:

```
Apr 08 10:15:25 test.mydns.me named[174]: keymgr: checkds DS for key test.net/RSASHA256/36679 seen published at Tue Apr  8 10:15:25 2025
Apr 08 10:15:25 test.mydns.me named[174]: zone test.net/IN (signed): reconfiguring zone keys
Apr 08 10:15:25 test.mydns.me named[174]: CDS (SHA-256) for key test.net/RSASHA256/36679 is now published
Apr 08 10:15:25 test.mydns.me named[174]: CDNSKEY for key test.net/RSASHA256/36679 is now published
Apr 08 10:15:26 test.mydns.me named[174]: zone test.net/IN (signed): next key event: 08-Apr-2025 12:19:10.937
Apr 08 10:18:38 test.mydns.me named[174]: received control channel command 'dnssec -status test.net'
Apr 08 10:25:50 test.mydns.me named[174]: received control channel command 'dnssec -status test.net'
Apr 08 10:27:47 test.mydns.me named[174]: received control channel command 'dnssec -rollover -key 50448 -when 20250408103000 test.net'
Apr 08 10:27:47 test.mydns.me named[174]: zone test.net/IN (signed): reconfiguring zone keys
Apr 08 10:27:47 test.mydns.me named[174]: keymgr: retire DNSKEY test.net/RSASHA256/7213 (ZSK)
Apr 08 10:27:47 test.mydns.me named[174]: zone test.net/IN (signed): next key event: 08-Apr-2025 10:30:00.592
Apr 08 10:27:56 test.mydns.me named[174]: received control channel command 'dnssec -status test.net'
Apr 08 10:30:00 test.mydns.me named[174]: zone test.net/IN (signed): reconfiguring zone keys
Apr 08 10:30:00 test.mydns.me named[174]: keymgr: DNSKEY test.net/RSASHA256/19861 (ZSK) created for policy test
Apr 08 10:30:00 test.mydns.me named[174]: Removing expired key test.net/50448/RSASHA256 from DNSKEY RRset.
Apr 08 10:30:00 test.mydns.me named[174]: DNSKEY test.net/RSASHA256/50448 (ZSK) is now deleted
Apr 08 10:30:00 test.mydns.me named[174]: Fetching test.net/RSASHA256/19861 (ZSK) from key repository.
Apr 08 10:30:00 test.mydns.me named[174]: DNSKEY test.net/RSASHA256/19861 (ZSK) is now published
Apr 08 10:30:00 test.mydns.me named[174]: DNSKEY test.net/RSASHA256/19861 (ZSK) is now active
Apr 08 10:30:01 test.mydns.me named[174]: zone test.net/IN (signed): next key event: 08-Apr-2025 11:32:47.720
```

Thanks.

-- 
An old man doll... just what I always wanted! - Clara
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250408/761a033e/attachment.sig>

More information about the bind-users mailing list