DNSSec KSK problem
Heiko Richter
email at heikorichter.name
Wed Aug 5 06:11:55 UTC 2015
Am 05.08.2015 um 06:15 schrieb Mark Andrews:
> In message <mpnvch$du9$1 at news.albasani.net>, Heiko Richter writes:
>> Hi!
>>
>> I'm hoping someone here can help me with a problem in my DNSSec
>> configuration.
>>
>> I'm running Bind 9 in Debian Jessie and just finished configuring it
>> with DNSSec for my zones. Everything including automatic key rollover
>> for the ZSKs is working, except for a slight anomaly with my KSKs:
>>
>> For some reason the KSK isn't only used to sign the ZSKs, but also to
>> sign the zone. My server obviously signs the "normal" records with the
>> ZSK and the KSK as you can see on this diagnostic site:
>> http://dnsviz.net/d/heikorichter.org/dnssec/
>>
>> Strangely for the TLD and the root zone the same flags are set on their
>> keys (257 for KSK and 256 for ZSK) and their servers seem to do it
>> right. Their KSKs are only signing the ZSK and their ZSKs are used to
>> sign the zone.
>>
>> How can I force Bind to that same behaviour?
>>
>> Here is my Options-Clause:
>> options {
>> allow-query {
>> any;
>> };
>> allow-recursion {
>> loopback;
>> v1;
>> v2;
>> };
>> auth-nxdomain no;
>> directory "/var/cache/bind";
>> disable-empty-zone yes;
>> dnssec-enable yes;
>> dnssec-validation yes;
>> edns-udp-size 1460;
>> empty-zones-enable no;
>> forwarders { };
>> hostname "v1.heikorichter.org";
>> ixfr-from-differences no;
>> listen-on {
>> any;
>> };
>> listen-on-v6 {
>> any;
>> };
>> max-refresh-time 7200;
>> max-retry-time 1800;
>> max-udp-size 1460;
>> min-refresh-time 900;
>> min-retry-time 600;
>> minimal-responses no;
>> notify yes;
>> preferred-glue AAAA;
>> provide-ixfr no;
>> random-device "/dev/urandom";
>> recursion yes;
>> request-ixfr no;
>> rrset-order {
>> order random;
>> };
>> server-id "v1.heikorichter.org";
>> sig-validity-interval 2400;
>> statistics-file "/etc/bind/stats";
>> transfer-format one-answer;
>> version "Get Lost Pal";
>> zone-statistics yes;
>> };
>>
>> Command used to generate the KSK:
>> dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \
>> -P now -A +100 -R none -I none -D none \
>> -K /etc/bind/dyn/heikorichter.org heikorichter.org
>>
>> Command used to generate the ZSK:
>> dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \
>> -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \
>> -K /etc/bind/dyn/heikorichter.org heikorichter.org
>
> Well you are using 2 algorithms (ECDSAP256SHA256 and ECDSAP384SHA384)
> and you only have a single key per algorithm so named signs all the
> RRsets in the zone with both keys.
>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
Thanks for the advice, didn't know KSK and ZSK ahd to be the same algorithm.
My original thought was use a stronger algorithm for the KSK as it
doesn't get rolled over that often.
Anyhow, I changed it now and everything works find. Thanks!
More information about the bind-users
mailing list