<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
When performing a key rollover using the KASP I continue to see the DNSKEY IMMEDIATELY disappear rather than staying active for the appropriate period of time with the test zone having a 3 hour TTL. I first encountered this behavior with RHEL 9.2 with BIND
9.16.23-RH (Extended Support Version) with a ZSK key in testing and now with Fedora and 9.18.19 with as generic as a setup that you can have with the default DNSSEC policy. I know the manner that rollovers are handled with the default policy may be different,
but I still do not think the DNSKEY should disappear immediately on rollover since it is set to being inactive.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
Said another way...why do keys that are set to an inactive state by the KASP process immediately disappear as they should still be in the zone but no longer used to sign data?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"><b>Steps to Reproduce:</b></div>
<div class="ContentPasted0">1. Setup generic BIND installation with a test zone with default DNSSEC policy with inline signing.</div>
<div class="ContentPasted0">2. Run dig to see the DNSKEY.</div>
<div class="ContentPasted0">3. Run the rollover command.</div>
<div class="ContentPasted0">4. Run dig to see the DNSKEY - note the original DNSKEY is gone and the new one appears.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"><b>Expected Result:</b></div>
<div class="ContentPasted0">1. Two DNSKEY values immediately after the rollover.</div>
<div class="ContentPasted0">2. The original DNSKEY should be removed from cache at a later time based on the TTL of the zone and the KASP handles this. These date/times appear in the .key and .state after the rollover but the key appears to no longer be available
which I believe cause a DNSSEC failure.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# named -v</div>
<div class="ContentPasted0">BIND 9.18.19 (Extended Support Version) <id:></div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# yum info bind</div>
<div class="ContentPasted0">Last metadata expiration check: 1:34:57 ago on Fri 06 Oct 2023 04:14:09 PM CDT.</div>
<div class="ContentPasted0">Installed Packages</div>
<div class="ContentPasted0">Name : bind</div>
<div class="ContentPasted0">Epoch : 32</div>
<div class="ContentPasted0">Version : 9.18.19</div>
<div class="ContentPasted0">Release : 1.fc38</div>
<div class="ContentPasted0">Architecture : x86_64</div>
<div class="ContentPasted0">Size : 1.6 M</div>
<div class="ContentPasted0">Source : bind-9.18.19-1.fc38.src.rpm</div>
<div class="ContentPasted0">Repository : @System</div>
<div class="ContentPasted0">From repo : updates</div>
<div class="ContentPasted0">Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server</div>
<div class="ContentPasted0">URL : https://www.isc.org/downloads/bind/</div>
<div class="ContentPasted0">License : MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause</div>
<div class="ContentPasted0">Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS</div>
<div class="ContentPasted0"> : (Domain Name System) protocols. BIND includes a DNS server (named),</div>
<div class="ContentPasted0"> : which resolves host names to IP addresses; a resolver library</div>
<div class="ContentPasted0"> : (routines for applications to use when interfacing with DNS); and</div>
<div class="ContentPasted0"> : tools for verifying that the DNS server is operating properly.</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost ~]# dig @localhost dnssec.example dnskey +multi</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">; <<>> DiG 9.18.19 <<>> @localhost dnssec.example dnskey +multi</div>
<div class="ContentPasted0">; (2 servers found)</div>
<div class="ContentPasted0">;; global options: +cmd</div>
<div class="ContentPasted0">;; Got answer:</div>
<div class="ContentPasted0">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11680</div>
<div class="ContentPasted0">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; OPT PSEUDOSECTION:</div>
<div class="ContentPasted0">; EDNS: version: 0, flags:; udp: 1232</div>
<div class="ContentPasted0">; COOKIE: 9e07c9760c4d71fc0100000065208d2a6696e86824aebb8e (good)</div>
<div class="ContentPasted0">;; QUESTION SECTION:</div>
<div class="ContentPasted0">;dnssec.example. IN DNSKEY</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; ANSWER SECTION:</div>
<div class="ContentPasted0">dnssec.example. 3600 IN DNSKEY 257 3 13 (</div>
<div class="ContentPasted0"> KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1w</div>
<div class="ContentPasted0"> GqQipJ4ARhlwALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==</div>
<div class="ContentPasted0"> ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22645</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; Query time: 5 msec</div>
<div class="ContentPasted0">;; SERVER: ::1#53(localhost) (UDP)</div>
<div class="ContentPasted0">;; WHEN: Fri Oct 06 17:41:46 CDT 2023</div>
<div class="ContentPasted0">;; MSG SIZE rcvd: 151</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# cat *22645.key</div>
<div class="ContentPasted0">; This is a key-signing key, keyid 22645, for dnssec.example.</div>
<div class="ContentPasted0">; Created: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">; Publish: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">; Activate: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">; SyncPublish: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">dnssec.example. 3600 IN DNSKEY 257 3 13 KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1wGqQipJ4ARhlw ALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# cat *22645.state</div>
<div class="ContentPasted0">; This is the state of key 22645, for dnssec.example.</div>
<div class="ContentPasted0">Algorithm: 13</div>
<div class="ContentPasted0">Length: 256</div>
<div class="ContentPasted0">Lifetime: 0</div>
<div class="ContentPasted0">Predecessor: 12805</div>
<div class="ContentPasted0">KSK: yes</div>
<div class="ContentPasted0">ZSK: yes</div>
<div class="ContentPasted0">Generated: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">Published: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">Active: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">PublishCDS: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">DNSKEYChange: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">ZRRSIGChange: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">KRRSIGChange: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">DSChange: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">DNSKEYState: omnipresent</div>
<div class="ContentPasted0">ZRRSIGState: rumoured</div>
<div class="ContentPasted0">KRRSIGState: omnipresent</div>
<div class="ContentPasted0">DSState: hidden</div>
<div class="ContentPasted0">GoalState: omnipresent</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# rndc dnssec -rollover -key 22645 dnssec.example</div>
<div class="ContentPasted0">Key 22645: Rollover scheduled on 06-Oct-2023 17:46:52.000</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# dig @localhost dnssec.example dnskey +multi</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">; <<>> DiG 9.18.19 <<>> @localhost dnssec.example dnskey +multi</div>
<div class="ContentPasted0">; (2 servers found)</div>
<div class="ContentPasted0">;; global options: +cmd</div>
<div class="ContentPasted0">;; Got answer:</div>
<div class="ContentPasted0">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15909</div>
<div class="ContentPasted0">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; OPT PSEUDOSECTION:</div>
<div class="ContentPasted0">; EDNS: version: 0, flags:; udp: 1232</div>
<div class="ContentPasted0">; COOKIE: ad6ddb84be53f55f0100000065208e6371e7a01ce9319ea9 (good)</div>
<div class="ContentPasted0">;; QUESTION SECTION:</div>
<div class="ContentPasted0">;dnssec.example. IN DNSKEY</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; ANSWER SECTION:</div>
<div class="ContentPasted0">dnssec.example. 3600 IN DNSKEY 257 3 13 (</div>
<div class="ContentPasted0"> CQNMEeneh3kEmKSTUYp6Baujt0Yxmz7Pl/2y/lekLtWg</div>
<div class="ContentPasted0"> 8rjsxcgn8XYX+KFfglxgVNWoGMYYVtYFZsJBS5AOyg==</div>
<div class="ContentPasted0"> ) ; KSK; alg = ECDSAP256SHA256 ; key id = 37397</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">;; Query time: 0 msec</div>
<div class="ContentPasted0">;; SERVER: ::1#53(localhost) (UDP)</div>
<div class="ContentPasted0">;; WHEN: Fri Oct 06 17:46:59 CDT 2023</div>
<div class="ContentPasted0">;; MSG SIZE rcvd: 151</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# cat *22645.key</div>
<div class="ContentPasted0">; This is a key-signing key, keyid 22645, for dnssec.example.</div>
<div class="ContentPasted0">; Created: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">; Publish: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">; Activate: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">; Inactive: 20231007005152 (Fri Oct 6 19:51:52 2023)</div>
<div class="ContentPasted0">; Delete: 20231017015652 (Mon Oct 16 20:56:52 2023)</div>
<div class="ContentPasted0">; SyncPublish: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">dnssec.example. 3600 IN DNSKEY 257 3 13 KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1wGqQipJ4ARhlw ALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# cat *22645.state</div>
<div class="ContentPasted0">; This is the state of key 22645, for dnssec.example.</div>
<div class="ContentPasted0">Algorithm: 13</div>
<div class="ContentPasted0">Length: 256</div>
<div class="ContentPasted0">Lifetime: 19049</div>
<div class="ContentPasted0">Predecessor: 12805</div>
<div class="ContentPasted0">Successor: 37397</div>
<div class="ContentPasted0">KSK: yes</div>
<div class="ContentPasted0">ZSK: yes</div>
<div class="ContentPasted0">Generated: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">Published: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">Active: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">Retired: 20231007005152 (Fri Oct 6 19:51:52 2023)</div>
<div class="ContentPasted0">Removed: 20231017015652 (Mon Oct 16 20:56:52 2023)</div>
<div class="ContentPasted0">PublishCDS: 20231006193423 (Fri Oct 6 14:34:23 2023)</div>
<div class="ContentPasted0">DNSKEYChange: 20231006224652 (Fri Oct 6 17:46:52 2023)</div>
<div class="ContentPasted0">ZRRSIGChange: 20231006224652 (Fri Oct 6 17:46:52 2023)</div>
<div class="ContentPasted0">KRRSIGChange: 20231006224652 (Fri Oct 6 17:46:52 2023)</div>
<div class="ContentPasted0">DSChange: 20231006172923 (Fri Oct 6 12:29:23 2023)</div>
<div class="ContentPasted0">DNSKEYState: unretentive</div>
<div class="ContentPasted0">ZRRSIGState: unretentive</div>
<div class="ContentPasted0">KRRSIGState: unretentive</div>
<div class="ContentPasted0">DSState: hidden</div>
<div class="ContentPasted0">GoalState: hidden</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">[root@localhost ~]# cat /etc/named.conf</div>
<div class="ContentPasted0">options</div>
<div class="ContentPasted0">{</div>
<div class="ContentPasted0"> directory "/var/named";</div>
<div class="ContentPasted0"> dump-file "data/cache_dump.db";</div>
<div class="ContentPasted0"> statistics-file "data/named_stats.txt";</div>
<div class="ContentPasted0"> memstatistics-file "data/named_mem_stats.txt";</div>
<div class="ContentPasted0"> secroots-file "data/named.secroots";</div>
<div class="ContentPasted0"> recursing-file "data/named.recursing";</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> dnssec-validation auto;</div>
<div class="ContentPasted0"> managed-keys-directory "/var/named/dynamic";</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> pid-file "/run/named/named.pid";</div>
<div class="ContentPasted0"> session-keyfile "/run/named/session.key";</div>
<div class="ContentPasted0"> include "/etc/crypto-policies/back-ends/bind.config";</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">logging</div>
<div class="ContentPasted0">{</div>
<div class="ContentPasted0"> channel default_debug {</div>
<div class="ContentPasted0"> file "data/named.run";</div>
<div class="ContentPasted0"> severity dynamic;</div>
<div class="ContentPasted0"> };</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">zone "." IN {</div>
<div class="ContentPasted0"> type hint;</div>
<div class="ContentPasted0"> file "/var/named/named.ca";</div>
<div class="ContentPasted0">};</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">zone "dnssec.example" {</div>
<div class="ContentPasted0"> type primary;</div>
<div class="ContentPasted0"> file "dnssec.example.db";</div>
<div class="ContentPasted0"> dnssec-policy default;</div>
<div class="ContentPasted0"> inline-signing yes;</div>
<div class="ContentPasted0"> key-directory "keys/dnssec.example";</div>
<div class="ContentPasted0">};</div>
<div class="ContentPasted0">---------------------------------------------------------------------------------</div>
<div class="ContentPasted0">[root@localhost dnssec.example]# cat /var/named/dnssec.example.db</div>
<div class="ContentPasted0">$ORIGIN dnssec.example.</div>
<div class="ContentPasted0">$TTL 3h</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">@ IN SOA ns01.dnssec.example. postmaster.dnssec.example. (</div>
<div class="ContentPasted0"> 2023100601 ; Serial</div>
<div class="ContentPasted0"> 3h ; Refresh after 3 hours</div>
<div class="ContentPasted0"> 1h ; Retry after 1 hour</div>
<div class="ContentPasted0"> 1w ; Expire after 1 week</div>
<div class="ContentPasted0"> 1h ) ; Negative caching TTL of 1 hour</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"> NS ns01.dnssec.example.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">; Addresses - ORIGIN definition allows us to not have to type FQDN as well as the trailing .</div>
<div><br class="ContentPasted0">
</div>
ns01 A 10.1.2.3<br>
</div>
</body>
</html>