DNSSEC: Why aren't the old keys going hidden?

Mark Andrews marka at isc.org
Mon May 2 01:53:22 UTC 2022 

Why should you want them to go away while you still have DS records referencing them?

You also have a CDS record referencing a DNSKEY that dnssec-policy doesn’t seem to know about.

sienawx.us.		2892	IN	CDS	49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED

The DS records need to be removed before the DNSKEYs referencing them go. Also does your registrar support CDS/CDNSKEY or do you need to manually update the DS records?  Based on https://support.google.com/domains/answer/6387342?hl=en&ref_topic=9018335 I’d say no

Mark

% dig lerctr.net ds
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> lerctr.net ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46574
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 61d83398feb22dcc01000000626f31afa85af3f9e59685a3 (good)
;; QUESTION SECTION:
;lerctr.net.			IN	DS

;; ANSWER SECTION:
lerctr.net.		86400	IN	DS	56326 8 2 6D8570580160E5EB05BD9ACA38FD0DE6F58796D5C8D8286319944C2D AC10588B
lerctr.net.		86400	IN	DS	43159 13 2 924A3AA6EBD540CBAA086F472A10C4028CEA4D80BCF79EE89AC4258B 1C2A77F6
lerctr.net.		86400	IN	DS	12796 8 2 E227022B9D50905F9433440F99B6EEFAC405E3749BC85D9E080E7E5C 96BE7B30
lerctr.net.		86400	IN	DS	19884 8 2 96455491FBB7BEF8B4B0900903651467A4439752F01F17CC26C629A1 0FFCEB10

;; Query time: 1149 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon May 02 11:19:43 AEST 2022
;; MSG SIZE  rcvd: 259

% dig cds lerctr.net
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> cds lerctr.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 205
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 84426f6e7a374a3701000000626f31d133d8bf1be58d8f01 (good)
;; QUESTION SECTION:
;lerctr.net.			IN	CDS

;; ANSWER SECTION:
lerctr.net.		3600	IN	CDS	39581 13 2 406BD487D1FC1573A9E8B4F6F2F0F0D740CB10EC0A90CF2398856DE8 85166F0F

;; Query time: 2621 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon May 02 11:20:17 AEST 2022
;; MSG SIZE  rcvd: 115

% 

% dig ds sienawx.us
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> ds sienawx.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2699
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e9ef7c1d464cfb4a01000000626f35595756c5c64e7fa839 (good)
;; QUESTION SECTION:
;sienawx.us.			IN	DS

;; ANSWER SECTION:
sienawx.us.		2887	IN	DS	49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED
sienawx.us.		2887	IN	DS	17471 8 2 4C1FF0CD2F5BB46B3929BC1A4754379E1A90669667CDC600407828DD 1896366D
sienawx.us.		2887	IN	DS	29251 13 2 CE68A1AB764862F85A3A2D48C276A19949571428E3615ACB31F768A5 43E969B0
sienawx.us.		2887	IN	DS	36004 8 2 B005D81CCF01AACB87FD866F854E00AFDBC2985191D04EB4ADD0511C 362CE07E

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon May 02 11:35:21 AEST 2022
;; MSG SIZE  rcvd: 259

% dig cds sienawx.us
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> cds sienawx.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54322
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c5452feeafb797a901000000626f355e0bec2b530769829f (good)
;; QUESTION SECTION:
;sienawx.us.			IN	CDS

;; ANSWER SECTION:
sienawx.us.		2892	IN	CDS	49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED
sienawx.us.		2892	IN	CDS	29251 13 2 CE68A1AB764862F85A3A2D48C276A19949571428E3615ACB31F768A5 43E969B0

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Mon May 02 11:35:26 AEST 2022
;; MSG SIZE  rcvd: 163

% 


> On 2 May 2022, at 06:51, Larry Rosenman <ler at lerctr.org> wrote:
> 
> I have 2 domains where I switched from Alg 8 to Alg 13, but the old keys don't seem to be going away.
> 
> Attached are the state files, and the rndc dnssec -status outputs.
> 
> Ideas?
> 
> -- 
> Larry Rosenman                     http://www.lerctr.org/~ler
> Phone: +1 214-642-9640                 E-Mail: ler at lerctr.org
> US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
> <sienawx.us.state><lerctr.net.state><bind-keys-issue.tar.gz>-- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list