dnssec: ds showing hidden 3+ days after key roll
Larry Rosenman
ler at lerctr.org
Thu Feb 10 14:47:47 UTC 2022
version: bind9-devel-9.17.18.a0.2021.10.08
Debug logs from yesterday for this zone (none in todays log):
<183>1 2022-02-09T02:18:28.587884-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/RSASHA256/8385 (policy ler1)
<183>1 2022-02-09T02:18:28.587906-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/RSASHA256/34851 (policy ler1)
<183>1 2022-02-09T02:18:28.587918-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/RSASHA256/20014 (policy ler1)
<183>1 2022-02-09T02:18:28.587928-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/ECDSAP256SHA256/6539 (policy ler1)
<183>1 2022-02-09T02:18:28.587939-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/RSASHA256/269 (policy ler1)
<183>1 2022-02-09T02:18:28.587949-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: dnskeys:
lerctr.org/ECDSAP256SHA256/6539 (policy ler1)
<183>1 2022-02-09T02:18:28.587960-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: dnskeys:
lerctr.org/RSASHA256/269 (policy ler1)
<183>1 2022-02-09T02:18:28.588003-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: DNSKEY
lerctr.org/RSASHA256/20014 (KSK) matches policy ler1
<183>1 2022-02-09T02:18:28.588020-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY
lerctr.org/RSASHA256/269 (KSK) matches policy ler1
<183>1 2022-02-09T02:18:28.588032-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY
lerctr.org/RSASHA256/269 (KSK) is active in policy ler1
<183>1 2022-02-09T02:18:28.588045-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: new
successor needed for DNSKEY lerctr.org/RSASHA256/269 (KSK) (policy ler1)
in 2650572588 seconds
<183>1 2022-02-09T02:18:28.588056-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY
lerctr.org/ECDSAP256SHA256/6539 (ZSK) matches policy ler1
<183>1 2022-02-09T02:18:28.588067-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY
lerctr.org/ECDSAP256SHA256/6539 (ZSK) is active in policy ler1
<183>1 2022-02-09T02:18:28.588079-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: new
successor needed for DNSKEY lerctr.org/ECDSAP256SHA256/6539 (ZSK)
(policy ler1) in 2379102 seconds
<183>1 2022-02-09T02:18:28.588090-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/RSASHA256/8385 type DNSKEY in state HIDDEN
<183>1 2022-02-09T02:18:28.588101-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK
lerctr.org/RSASHA256/8385 type DNSKEY in stable state HIDDEN
<183>1 2022-02-09T02:18:28.588111-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/RSASHA256/8385 type ZRRSIG in state UNRETENTIVE
<183>1 2022-02-09T02:18:28.588122-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we
transition ZSK lerctr.org/RSASHA256/8385 type ZRRSIG state UNRETENTIVE
to state HIDDEN?
<183>1 2022-02-09T02:18:28.588143-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec
evaluation of ZSK lerctr.org/RSASHA256/8385 record ZRRSIG: rule1=(~false
or false) rule2=(~true or true) rule3=(~true or true)
<183>1 2022-02-09T02:18:28.588162-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: time says no
to ZSK lerctr.org/RSASHA256/8385 type ZRRSIG state UNRETENTIVE to state
HIDDEN (wait 662502 seconds)
<183>1 2022-02-09T02:18:28.588174-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/RSASHA256/34851 type DNSKEY in state HIDDEN
<183>1 2022-02-09T02:18:28.588184-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK
lerctr.org/RSASHA256/34851 type DNSKEY in stable state HIDDEN
<183>1 2022-02-09T02:18:28.588194-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/RSASHA256/34851 type ZRRSIG in state UNRETENTIVE
<183>1 2022-02-09T02:18:28.588205-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we
transition ZSK lerctr.org/RSASHA256/34851 type ZRRSIG state UNRETENTIVE
to state HIDDEN?
<183>1 2022-02-09T02:18:28.588225-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec
evaluation of ZSK lerctr.org/RSASHA256/34851 record ZRRSIG:
rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
<183>1 2022-02-09T02:18:28.588244-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: time says no
to ZSK lerctr.org/RSASHA256/34851 type ZRRSIG state UNRETENTIVE to state
HIDDEN (wait 592212 seconds)
<183>1 2022-02-09T02:18:28.588256-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/20014 type DNSKEY in state HIDDEN
<183>1 2022-02-09T02:18:28.588266-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK
lerctr.org/RSASHA256/20014 type DNSKEY in stable state HIDDEN
<183>1 2022-02-09T02:18:28.588276-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/20014 type KRRSIG in state HIDDEN
<183>1 2022-02-09T02:18:28.588286-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK
lerctr.org/RSASHA256/20014 type KRRSIG in stable state HIDDEN
<183>1 2022-02-09T02:18:28.588296-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/20014 type DS in state HIDDEN
<183>1 2022-02-09T02:18:28.588306-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK
lerctr.org/RSASHA256/20014 type DS in stable state HIDDEN
<183>1 2022-02-09T02:18:28.588317-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/ECDSAP256SHA256/6539 type DNSKEY in state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588328-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK
lerctr.org/ECDSAP256SHA256/6539 type DNSKEY in stable state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588338-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK
lerctr.org/ECDSAP256SHA256/6539 type ZRRSIG in state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588348-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK
lerctr.org/ECDSAP256SHA256/6539 type ZRRSIG in stable state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588359-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/269 type DNSKEY in state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588369-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK
lerctr.org/RSASHA256/269 type DNSKEY in stable state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588379-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/269 type KRRSIG in state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588389-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK
lerctr.org/RSASHA256/269 type KRRSIG in stable state OMNIPRESENT
<183>1 2022-02-09T02:18:28.588399-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK
lerctr.org/RSASHA256/269 type DS in state HIDDEN
<183>1 2022-02-09T02:18:28.588410-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we
transition KSK lerctr.org/RSASHA256/269 type DS state HIDDEN to state
RUMOURED?
<183>1 2022-02-09T02:18:28.588432-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec
evaluation of KSK lerctr.org/RSASHA256/269 record DS: rule1=(~false or
true) rule2=(~true or true) rule3=(~true or false)
<183>1 2022-02-09T02:18:28.588453-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec says
no to KSK lerctr.org/RSASHA256/269 type DS state HIDDEN to state
RUMOURED
ler in thebighonker in ~ via ☕ v1.8.0 via 🐪 v5.32.1 via 💎 v2.7.5 as 🧙
❯
On 02/10/2022 6:20 am, Matthijs Mekking wrote:
> Hi Larry,
>
> There has been several bug fixes for dnssec-policy since its
> introduction. What version of 9.17 are you running?
>
> I can't tell what causes the ds to stay in the hidden state. The
> timings in the state file should allow it to move to the next state.
>
> If you were able to turn on logging, on each run the keymgr will tell
> you the reason why it cannot move the DS to the next state. Such logs
> happen on DEBUG(1) level.
>
> Best regards,
>
> Matthijs
>
>
>
> On 09-02-2022 17:35, Larry Rosenman wrote:
>> On 02/09/2022 9:52 am, Matthijs Mekking wrote:
>>> Hi Larry,
>>>
>>> Without more information it is hard to tell what is going on.
>>>
>>> Can you share your dnssec-policy and the contents of the key state
>>> file? And if you have useful logs (grep for keymgr) that would be
>>> handy too to see what is going on.
>>>
>>> If you prefer to share them off list, you can mail them me directly.
>>>
>>> Best regards,
>>>
>>> Matthijs
>>>
>>> On 08-02-2022 18:00, Larry Rosenman wrote:
>>>> Greetings,
>>>> new poster. I just converted over to DNSSEC-policy, and
>>>> rolled my KSK. I see:
>>>> key: 269 (RSASHA256), KSK
>>>> published: yes - since Sun Feb 6 14:31:32 2022
>>>> key signing: yes - since Sun Feb 6 14:31:32 2022
>>>>
>>>> No rollover scheduled
>>>> - goal: omnipresent
>>>> - dnskey: omnipresent
>>>> - ds: hidden
>>>> - key rrsig: omnipresent
>>>>
>>>>
>>>> ler in thebighonker in namedb🔒 on master [!] as 🧙
>>>> ❯
>>>>
>>>> Is it normal to see the ds as hidden? It IS published, and I told
>>>> rndc that.
>>>>
>>>> Any insight appreciated.
>>>>
>>
>> thebighonker# cat Klerctr.org.+008+00269.state
>> ; This is the state of key 269, for lerctr.org.
>> Algorithm: 8
>> Length: 2048
>> Lifetime: 0
>> Predecessor: 20014
>> KSK: yes
>> ZSK: no
>> Generated: 20220206203132 (Sun Feb 6 14:31:32 2022)
>> Published: 20220206203132 (Sun Feb 6 14:31:32 2022)
>> Active: 20220206213632 (Sun Feb 6 15:36:32 2022)
>> DSPublish: 20220207015646 (Sun Feb 6 19:56:46 2022)
>> PublishCDS: 20220206223632 (Sun Feb 6 16:36:32 2022)
>> DNSKEYChange: 20220206223632 (Sun Feb 6 16:36:32 2022)
>> KRRSIGChange: 20220206223632 (Sun Feb 6 16:36:32 2022)
>> DSChange: 20220206203132 (Sun Feb 6 14:31:32 2022)
>> DNSKEYState: omnipresent
>> KRRSIGState: omnipresent
>> DSState: hidden
>> GoalState: omnipresent
>> thebighonker#
>>
>> dnssec-policy "ler1" {
>> keys {
>> ksk lifetime unlimited algorithm 8 2048 ;
>> zsk lifetime 30d algorithm 13;
>> };
>> // Key timings
>> dnskey-ttl 3600;
>> publish-safety 1h;
>> retire-safety 1h;
>> purge-keys P90D;
>> // Signature timings
>> signatures-refresh 5d;
>> signatures-validity 14d;
>> signatures-validity-dnskey 14d;
>> // Zone parameters
>> max-zone-ttl 86400;
>> zone-propagation-delay 300;
>> // Parent parameters
>> parent-ds-ttl 86400;
>> parent-propagation-delay 1h;
>> nsec3param iterations 0 salt-length 0;
>> };
>>
>> Unfortunately my 9.17(alpha) named got into a signing loop, so I don't
>> want to look through that logging.
>>
>> I know -- I need to update to 9.18, but am waiting on the FreeBSD port
>> maintainer to add 9.18 to the ports tree
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
More information about the bind-users
mailing list