<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Sorry I just realised that all that waffle about DS records is
only relevant for KSKs (and CSKs), not ZSKs. So please disregard
that. :-P<br>
</p>
<p><br>
</p>
<p>But I think the "rumoured" vs. "omnipresent" thing is still
relevant and is the most likely explanation for why the old ZSK
doesn't stick around. I can only assume that the reason you have
rumoured state is because you are trying to roll your ZSK to soon
after the previous ZSK rollover? Have you checked the various
timing settings in the KASP definition?<br>
</p>
<p><br>
</p>
<p>Nick.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 30/09/23 11:32, Nick Tait via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1c59cace-8129-94a9-3ef4-7352762df148@tait.net.nz">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">On 29/09/23 12:05, Eddie Rowe wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW5PR22MB3132F2BF6C652FF31A16A6B7EAC1A@MW5PR22MB3132.namprd22.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">When I
perform a ZSK key rollover the existing ZSK disappears <b>immediately</b>
so not sure what I am missing when using the KASP to manage
key rollover. The state for the keys looks good and for
this test I have TTL set to 1 hour.. But why does dig not
show me both DNSKEY records for the ZSK after I initiate the
rollover when there should be overlap as described in <a
href="https://kb.isc.org/docs/aa-00822"
id="LPNoLPOWALinkPreview" class="OWAAutoLink
ContentPasted11" moz-do-not-send="true">Automatic DNSSEC
Zone Signing Key rollover explained (isc.org)</a>?</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Bind
9.16.23 which seems to be the newest release provided by my
distribution. I reviewed the ARM for notes for newer
releases in the 9.16 branch and did not see mention of any
rollover bugs or for dig.</span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<ol
data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}"
data-listchain="__List_Chain_1320">
<li style="list-style-type: "1. "; margin: 0in 0in
0in -0.25in;"><span> Here is the key info from dig for ZSK
key 15465 at 17:17.</span>
<div style="list-style-type: "2. "; margin: 0in
0in 0in -0.25in;"><span><br>
</span></div>
<div style="list-style-type: "2. "; margin: 0in
0in 0in -0.25in;"><span class="ContentPasted1"># dig
@localhost myexample.com DNSKEY +multi
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">; <<>> DiG
9.16.23-RH <<>> @localhost myexample.com
DNSKEY +multi</div>
<div class="ContentPasted1">; (2 servers found)</div>
<div class="ContentPasted1">;; global options: +cmd</div>
<div class="ContentPasted1">;; Got answer:</div>
<div class="ContentPasted1">;;
->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 41895</div>
<div class="ContentPasted1">;; flags: qr aa rd ra;
QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">;; OPT PSEUDOSECTION:</div>
<div class="ContentPasted1">; EDNS: version: 0,
flags:; udp: 1232</div>
<div class="ContentPasted1">; COOKIE:
7c2a0e61926d2d3a010000006515fb68eef12b631ca40c20
(good)</div>
<div class="ContentPasted1">;; QUESTION SECTION:</div>
<div class="ContentPasted1">;myexample.com. IN
DNSKEY</div>
<div><br class="ContentPasted1">
</div>
<div class="ContentPasted1">;; ANSWER SECTION:</div>
<div class="ContentPasted1">myexample.com.
3600 IN DNSKEY 257 3 13 (</div>
<div class="ContentPasted1">
20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB</div>
<div class="ContentPasted1">
le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==</div>
<div class="ContentPasted1">
) ; KSK; alg = ECDSAP256SHA256 ; key id =
31296</div>
<div class="ContentPasted1">myexample.com.
3600 IN DNSKEY 256 3 13 (</div>
<div class="ContentPasted1">
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq6</div>
<div class="ContentPasted1">
78nSI3DyM+1t91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==</div>
) ; ZSK; alg =
ECDSAP256SHA256 ; key id = 15465<br>
</span></div>
</li>
</ol>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof
ContentPasted0 ContentPasted2"> ;; Query time: 3 msec
<div class="ContentPasted2">;; SERVER: 127.0.0.1#53(127.0.0.1)</div>
<div class="ContentPasted2">;; WHEN: Thu Sep 28 17:17:12 CDT
2023</div>
<div class="ContentPasted2">;; MSG SIZE rcvd: 230</div>
<br>
</div>
<ol
data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}"
data-listchain="__List_Chain_1321" start="3">
<li style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; list-style-type: "3. "; margin:
0in 0in 0in -0.25in; color: rgb(0, 0, 0);"
class="elementToProof ContentPasted0 ContentPasted2"> Here
is the info from the key as far as state goes.
<div style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; list-style-type: "4.
"; margin: 0in 0in 0in -0.25in; color: rgb(0, 0, 0);"
class="elementToProof ContentPasted0 ContentPasted2"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica,
sans-serif; font-size: 12pt; list-style-type: "4.
"; margin: 0in 0in 0in -0.25in; color: rgb(0, 0, 0);"
class="elementToProof ContentPasted0 ContentPasted2
ContentPasted3"> # more Kmyexample.com.+013+15465.key
<div class="ContentPasted3">; This is a zone-signing key,
keyid 15465, for myexample.com.</div>
<div class="ContentPasted3">; Created: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Publish: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Activate: 20230928221438
(Thu Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">; Inactive: 20231127221438
(Mon Nov 27 16:14:38 2023)</div>
<div class="ContentPasted3">; Delete: 20231207231938 (Thu
Dec 7 17:19:38 2023)</div>
<div class="ContentPasted3">myexample.com. 3600 IN DNSKEY
256 3 13
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t
91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==</div>
<div><br class="ContentPasted3">
</div>
<div class="ContentPasted3"># more
Kmyexample.com.+013+15465.state</div>
<div class="ContentPasted3">; This is the state of key
15465, for myexample.com.</div>
<div class="ContentPasted3">Algorithm: 13</div>
<div class="ContentPasted3">Length: 256</div>
<div class="ContentPasted3">Lifetime: 5184000</div>
<div class="ContentPasted3">KSK: no</div>
<div class="ContentPasted3">ZSK: yes</div>
<div class="ContentPasted3">Generated: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">Published: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">Active: 20230928221438 (Thu
Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">Retired: 20231127221438 (Mon
Nov 27 16:14:38 2023)</div>
<div class="ContentPasted3">Removed: 20231207231938 (Thu
Dec 7 17:19:38 2023)</div>
<div class="ContentPasted3">DNSKEYChange: 20230928221438
(Thu Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">ZRRSIGChange: 20230928221438
(Thu Sep 28 17:14:38 2023)</div>
<div class="ContentPasted3">DNSKEYState: rumoured</div>
<div class="ContentPasted3">ZRRSIGState: rumoured</div>
GoalState: omnipresent<br>
</div>
</li>
</ol>
</blockquote>
<p>I suspect that the crucial detail above is "DNSKEYState:
rumoured". This suggests that the last ZSK rollover hasn't been
fully completed.<br>
</p>
<p><br>
Before starting a rollover it is a good idea to make sure the
ZSK that you are retiring is in an "omnipresent" state.</p>
<p><br>
</p>
<p>The usual reason that the key isn't in omnipresent state is
because BIND is still waiting for the corresponding DS record to
be published and available in the parent zone. BIND 9.16 only
knows if the DS record is published if you've set up
parental-agents, or if you've explicitly told it using rndc.
(BTW BIND 9.19 introduces new default behaviour which means you
don't need to set parental-agents in order for it to figure this
out.)<br>
</p>
<p><br>
</p>
<p>Have a look here: <a class="moz-txt-link-freetext"
href="https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover"
moz-do-not-send="true">https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover</a><br>
</p>
<p><br>
</p>
<p>Specifically:</p>
<blockquote>
<p><i>If setting up a parental agent is undesirable, it is also
possible to tell BIND that the DS is published in the parent
with: </i><a class="reference internal"
href="https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec"
moz-do-not-send="true"><code class="xref std std-option
docutils literal notranslate"><span class="pre">rndc</span>
<span class="pre">dnssec</span> <span class="pre">-checkds</span>
<span class="pre">-key</span> <span class="pre">12345</span>
<span class="pre">published</span> <span class="pre">dnssec.example.</span></code></a><i>.
and the DS for the predecessor key has been removed with: </i><a
class="reference internal"
href="https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec"
moz-do-not-send="true"><code class="xref std std-option
docutils literal notranslate"><span class="pre">rndc</span>
<span class="pre">dnssec</span> <span class="pre">-checkds</span>
<span class="pre">-key</span> <span class="pre">54321</span>
<span class="pre">withdrawn</span> <span class="pre">dnssec.example.</span></code></a><i>.
where 12345 and 54321 are the key tags of the successor and
predecessor key, respectively.</i></p>
</blockquote>
<p>Nick.<br>
</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>