DNSSec KSK problem
Mark Andrews
marka at isc.org
Wed Aug 5 04:15:48 UTC 2015
In message <mpnvch$du9$1 at news.albasani.net>, Heiko Richter writes:
> Hi!
>
> I'm hoping someone here can help me with a problem in my DNSSec
> configuration.
>
> I'm running Bind 9 in Debian Jessie and just finished configuring it
> with DNSSec for my zones. Everything including automatic key rollover
> for the ZSKs is working, except for a slight anomaly with my KSKs:
>
> For some reason the KSK isn't only used to sign the ZSKs, but also to
> sign the zone. My server obviously signs the "normal" records with the
> ZSK and the KSK as you can see on this diagnostic site:
> http://dnsviz.net/d/heikorichter.org/dnssec/
>
> Strangely for the TLD and the root zone the same flags are set on their
> keys (257 for KSK and 256 for ZSK) and their servers seem to do it
> right. Their KSKs are only signing the ZSK and their ZSKs are used to
> sign the zone.
>
> How can I force Bind to that same behaviour?
>
> Here is my Options-Clause:
> options {
> allow-query {
> any;
> };
> allow-recursion {
> loopback;
> v1;
> v2;
> };
> auth-nxdomain no;
> directory "/var/cache/bind";
> disable-empty-zone yes;
> dnssec-enable yes;
> dnssec-validation yes;
> edns-udp-size 1460;
> empty-zones-enable no;
> forwarders { };
> hostname "v1.heikorichter.org";
> ixfr-from-differences no;
> listen-on {
> any;
> };
> listen-on-v6 {
> any;
> };
> max-refresh-time 7200;
> max-retry-time 1800;
> max-udp-size 1460;
> min-refresh-time 900;
> min-retry-time 600;
> minimal-responses no;
> notify yes;
> preferred-glue AAAA;
> provide-ixfr no;
> random-device "/dev/urandom";
> recursion yes;
> request-ixfr no;
> rrset-order {
> order random;
> };
> server-id "v1.heikorichter.org";
> sig-validity-interval 2400;
> statistics-file "/etc/bind/stats";
> transfer-format one-answer;
> version "Get Lost Pal";
> zone-statistics yes;
> };
>
> Command used to generate the KSK:
> dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \
> -P now -A +100 -R none -I none -D none \
> -K /etc/bind/dyn/heikorichter.org heikorichter.org
>
> Command used to generate the ZSK:
> dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \
> -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \
> -K /etc/bind/dyn/heikorichter.org heikorichter.org
Well you are using 2 algorithms (ECDSAP256SHA256 and ECDSAP384SHA384)
and you only have a single key per algorithm so named signs all the
RRsets in the zone with both keys.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list