<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 29/09/23 12:05, Eddie Rowe wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW5PR22MB3132F2BF6C652FF31A16A6B7EAC1A@MW5PR22MB3132.namprd22.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">When I perform a ZSK
key rollover the existing ZSK disappears
<b>immediately</b> so not sure what I am missing when using
the KASP to manage key rollover. The state for the keys looks
good and for this test I have TTL set to 1 hour.. But why
does dig not show me both DNSKEY records for the ZSK after I
initiate the rollover when there should be overlap as
described in <a href="https://kb.isc.org/docs/aa-00822"
id="LPNoLPOWALinkPreview" class="OWAAutoLink
ContentPasted11" moz-do-not-send="true">Automatic DNSSEC
Zone Signing Key rollover explained (isc.org)</a>?</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">Bind 9.16.23 which
seems to be the newest release provided by my distribution. I
reviewed the ARM for notes for newer releases in the 9.16
branch and did not see mention of any rollover bugs or for
dig.</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<ol
data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}"
data-listchain="__List_Chain_1320">
<li style="list-style-type: "1. "; margin: 0in 0in
0in -0.25in;"><span> Here is the key info from dig for ZSK
key 15465 at 17:17.</span>
<div style="list-style-type: "2. "; margin: 0in
0in 0in -0.25in;"><span><br>
</span></div>
<div style="list-style-type: "2. "; margin: 0in
0in 0in -0.25in;"><span class="ContentPasted1"># dig
@localhost myexample.com DNSKEY +multi
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">; <<>> DiG
9.16.23-RH <<>> @localhost myexample.com
DNSKEY +multi</div>
<div class="ContentPasted1">; (2 servers found)</div>
<div class="ContentPasted1">;; global options: +cmd</div>
<div class="ContentPasted1">;; Got answer:</div>
<div class="ContentPasted1">;; ->>HEADER<<-
opcode: QUERY, status: NOERROR, id: 41895</div>
<div class="ContentPasted1">;; flags: qr aa rd ra;
QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">;; OPT PSEUDOSECTION:</div>
<div class="ContentPasted1">; EDNS: version: 0, flags:;
udp: 1232</div>
<div class="ContentPasted1">; COOKIE:
7c2a0e61926d2d3a010000006515fb68eef12b631ca40c20
(good)</div>
<div class="ContentPasted1">;; QUESTION SECTION:</div>
<div class="ContentPasted1">;myexample.com. IN
DNSKEY</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">;; ANSWER SECTION:</div>
<div class="ContentPasted1">myexample.com. 3600
IN DNSKEY 257 3 13 (</div>
<div class="ContentPasted1">
20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB</div>
<div class="ContentPasted1">
le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==</div>
<div class="ContentPasted1">
) ; KSK; alg = ECDSAP256SHA256 ; key id = 31296</div>
<div class="ContentPasted1">myexample.com. 3600
IN DNSKEY 256 3 13 (</div>
<div class="ContentPasted1">
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq6</div>
<div class="ContentPasted1">
78nSI3DyM+1t91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==</div>
) ; ZSK; alg =
ECDSAP256SHA256 ; key id = 15465<br>
</span></div>
</li>
</ol>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted2">
;; Query time: 3 msec
<div class="ContentPasted2">;; SERVER: 127.0.0.1#53(127.0.0.1)</div>
<div class="ContentPasted2">;; WHEN: Thu Sep 28 17:17:12 CDT
2023</div>
<div class="ContentPasted2">;; MSG SIZE rcvd: 230</div>
<br>
</div>
<ol
data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}"
data-listchain="__List_Chain_1321" start="3">
<li style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; list-style-type: "3. "; margin: 0in
0in 0in -0.25in; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted2">
Here is the info from the key as far as state goes.
<div style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; list-style-type: "4.
"; margin: 0in 0in 0in -0.25in; color: rgb(0, 0, 0);"
class="elementToProof ContentPasted0 ContentPasted2">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; list-style-type: "4.
"; margin: 0in 0in 0in -0.25in; color: rgb(0, 0, 0);"
class="elementToProof ContentPasted0 ContentPasted2
ContentPasted3">
# more Kmyexample.com.+013+15465.key
<div class="ContentPasted3">; This is a zone-signing key,
keyid 15465, for myexample.com.</div>
<div class="ContentPasted3">; Created: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Publish: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Activate: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Inactive: 20231127221438 (Mon
Nov 27 16:14:38 2023)</div>
<div class="ContentPasted3">; Delete: 20231207231938 (Thu
Dec 7 17:19:38 2023)</div>
<div class="ContentPasted3">myexample.com. 3600 IN DNSKEY
256 3 13
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t
91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==</div>
<div><br class="ContentPasted3">
</div>
<div class="ContentPasted3"># more
Kmyexample.com.+013+15465.state</div>
<div class="ContentPasted3">; This is the state of key
15465, for myexample.com.</div>
<div class="ContentPasted3">Algorithm: 13</div>
<div class="ContentPasted3">Length: 256</div>
<div class="ContentPasted3">Lifetime: 5184000</div>
<div class="ContentPasted3">KSK: no</div>
<div class="ContentPasted3">ZSK: yes</div>
<div class="ContentPasted3">Generated: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">Published: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">Active: 20230928221438 (Thu Sep
28 17:14:38 2023)</div>
<div class="ContentPasted3">Retired: 20231127221438 (Mon Nov
27 16:14:38 2023)</div>
<div class="ContentPasted3">Removed: 20231207231938 (Thu Dec
7 17:19:38 2023)</div>
<div class="ContentPasted3">DNSKEYChange: 20230928221438
(Thu Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">ZRRSIGChange: 20230928221438
(Thu Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">DNSKEYState: rumoured</div>
<div class="ContentPasted3">ZRRSIGState: rumoured</div>
GoalState: omnipresent<br>
</div>
</li>
</ol>
</blockquote>
<p>I suspect that the crucial detail above is "DNSKEYState:
rumoured". This suggests that the last ZSK rollover hasn't been
fully completed.<br>
</p>
<p><br>
Before starting a rollover it is a good idea to make sure the ZSK
that you are retiring is in an "omnipresent" state.</p>
<p><br>
</p>
<p>The usual reason that the key isn't in omnipresent state is
because BIND is still waiting for the corresponding DS record to
be published and available in the parent zone. BIND 9.16 only
knows if the DS record is published if you've set up
parental-agents, or if you've explicitly told it using rndc. (BTW
BIND 9.19 introduces new default behaviour which means you don't
need to set parental-agents in order for it to figure this out.)<br>
</p>
<p><br>
</p>
<p>Have a look here:
<a class="moz-txt-link-freetext" href="https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover">https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover</a><br>
</p>
<p><br>
</p>
<p>Specifically:</p>
<blockquote>
<p><i>If setting up a parental agent is undesirable, it is also
possible to tell BIND that the
DS is published in the parent with:
</i><a class="reference internal"
href="https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec"><code
class="xref std std-option docutils literal notranslate"><span
class="pre">rndc</span> <span class="pre">dnssec</span> <span
class="pre">-checkds</span> <span class="pre">-key</span>
<span class="pre">12345</span> <span class="pre">published</span>
<span class="pre">dnssec.example.</span></code></a><i>.
and the DS for the predecessor key has been removed with:
</i><a class="reference internal"
href="https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec"><code
class="xref std std-option docutils literal notranslate"><span
class="pre">rndc</span> <span class="pre">dnssec</span> <span
class="pre">-checkds</span> <span class="pre">-key</span>
<span class="pre">54321</span> <span class="pre">withdrawn</span>
<span class="pre">dnssec.example.</span></code></a><i>.
where 12345 and 54321 are the key tags of the successor and
predecessor key,
respectively.</i></p>
</blockquote>
<p>Nick.<br>
</p>
</body>
</html>