Can't get Bind to publish CDS/CDNSKEY using dnssec-policy
Josef Vybíhal
josef.vybihal at gmail.com
Thu Aug 12 07:02:50 UTC 2021
Hi, for a second day, I am scratching my head over (automatic) publishing
CDS/CDNSKEY records. When I read Matthijs Mekkings KB article at
https://kb.isc.org/docs/dnssec-key-and-signing-policy, I wanted to try
dnssec-policy. Up until now, I successfully was using inline-signing with
auto-dnssec.
I configured my dnssec-policy to match the current key setting, but I
probably made a mistake and it did not match it, so a new key was
generated. No big deal, it's a test domain, rollover is not a problem.
Since my TLD supports CDNSKEY, I want to leverage it. So I removed current
DS record from the domain and expected Bind to publish CDS/CDNSKEY (
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#the-cds-and-cdnskey-resource-records).
Unfortunately I can not get bind to automatically publish them. No clue
why. I kind of expected bind to publish them on PublishCDS: 20210811135045
(Wed Aug 11 15:50:45 2021) automatically.
domain: irmorava.cz
version: BIND 9.16.19
OS: CentOS 8 Stream + packages from copr.
named.conf:
dnssec-policy "pepa" {
keys {
csk key-directory lifetime unlimited algorithm 13;
};
// Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P1D;
// Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
// Zone parameters
max-zone-ttl PT1H;
zone-propagation-delay PT5M;
parent-ds-ttl PT1H;
parent-propagation-delay PT1H;
nsec3param iterations 1 optout false salt-length 16;
};
zone "irmorava.cz" {
type master;
file "master/irmorava.cz.zone";
allow-update { none; };
key-directory "keys/irmorava.cz";
dnssec-policy pepa;
notify yes;
allow-transfer { pepa_abc; };
};
dig irmorava.cz @127.0.0.1 DNSKEY +short +norec
257 3 13 Xsfq5rEgoE+iT+cvq0OZz43MiLiRLeH8SUAEIprn0/J3PNZSYVlCeNuF
5lfNo6uM0TeApujDhmQ1FPNINKxa2Q==
rndc dnssec -status irmorava.cz
dnssec-policy: pepa
current time: Thu Aug 12 08:38:40 2021
key: 22788 (ECDSAP256SHA256), CSK
published: yes - since Wed Aug 11 10:20:00 2021
key signing: yes - since Wed Aug 11 10:20:00 2021
zone signing: yes - since Wed Aug 11 12:25:00 2021
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- zone rrsig: rumoured
- key rrsig: omnipresent
key: 44055 (ECDSAP256SHA256), CSK
published: no
key signing: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: unretentive
- key rrsig: hidden
key: 35549 (ECDSAP256SHA256), CSK
published: no
key signing: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: hidden
- key rrsig: hidden
/var/named/keys/irmorava.cz/Kirmorava.cz.+013+22788.state:
; This is the state of key 22788, for irmorava.cz.
Algorithm: 13
Length: 256
Lifetime: 0
Predecessor: 44055
KSK: yes
ZSK: yes
Generated: 20210811082000 (Wed Aug 11 10:20:00 2021)
Published: 20210811082000 (Wed Aug 11 10:20:00 2021)
Active: 20210811102500 (Wed Aug 11 12:25:00 2021)
DSPublish: 20210811131037 (Wed Aug 11 15:10:37 2021)
DSRemoved: 20210811131020 (Wed Aug 11 15:10:20 2021)
*PublishCDS: 20210811135045 (Wed Aug 11 15:50:45 2021)*DNSKEYChange:
20210811102500 (Wed Aug 11 12:25:00 2021)
ZRRSIGChange: 20210811082000 (Wed Aug 11 10:20:00 2021)
KRRSIGChange: 20210811102500 (Wed Aug 11 12:25:00 2021)
DSChange: 20210811082000 (Wed Aug 11 10:20:00 2021)
DNSKEYState: omnipresent
ZRRSIGState: rumoured
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent
As you can see, I rolled over 2 more keys, but the desired records were not
published. Yesterday I tried manually 'dnssec-settime -P sync now
Kirmorava.cz.+013+22788.key'. I have waited as I read here
https://lists.isc.org/pipermail/bind-users/2020-April/102903.html but still
no luck.
I am sure I am missing something stupidly simple. Could someone please give
me any hint? Or are 'parental-agents' required to be configured? Does not
seem right way to me.
Josef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210812/ea7bc60c/attachment-0001.htm>
More information about the bind-users
mailing list