How to introduce automatic signing for existing signed zones?

Niall O'Reilly niall.oreilly at ucd.ie
Mon Nov 7 11:40:00 UTC 2022 

I have a couple of zones which I want to migrate from CLI-driven
signing to BIND9 automatic signing, while avoiding any change to
the respective parent-zone DS RR.

Status quo ante:

- https://dnsviz.net/d/no8.be/dnssec/
  separate KSK, ZSK; both using alg 13
- https://dnsviz.net/d/jamm.ie/dnssec/
  2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8

Preparation:

- Set up minimal stand-alone instance of BIND9 named,
  configured with a **dnssec-policy** for each algorithm,
  matching properties of existing DNSSEC keys, and with
  `lifetime unlimited`;
- Deliver current key files and recently-signed copy of
  zone files to this instance.

Expected behaviour on starting named:

- Zones are loaded;
- Spare ZSK for jamm.ie is retired;
- Other keys for each zone are accepted and retained;
- A CDS RR is generated for each zone, matching the current DS RR.

Observed behaviour:

- `named -v` shows `BIND 9.18.8 (Stable Release) <id:35f5d35>`;
- Zones are loaded;
- Spare ZSK for jamm.ie is retired;
- Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained;
- A CDS RR is published for jamm.ie, matching the current DS RR;
- ECDSAP256SHA256 keys (for no8.be) are not accepted;
- New ECDSAP256SHA256 keys are created for no8.be;
- No CDS RR is generated for no8.be.

Unless I'm missing something, there seems to be a discrepancy
according to key type between the handling of RSA/SHA-256 and
ECDSAP256SHA256 keys respectively.

/Niall
-------------- next part --------------

// Based on https://bind9.readthedocs.io/en/latest/chapter3.html#primary-authoritative-name-server

// authoritative primary named.conf file
// options clause defining the server-wide properties
options {
  // all relative paths use this directory as a base
  directory "/usr/local/var/named";
  listen-on { 127.0.0.1; };
  listen-on-v6 { ::1; };
  allow-query { 127.0.0.1; ::1; };
  allow-query-cache { none; };
  recursion no;
};
// logging clause
// log to /var/log/named/example.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages that occur before logging is established are
// in syslog (/var/log/messages)
//
logging {
  channel example_log {
    // uses a relative path name and the directory statement to
    // expand to /var/log/named/example.log
    file "example.log" versions 3 size 250k;
    // only log info and up messages - all others discarded
    severity info;
  };
  category default {
    example_log;
  };
};

acl local-requesters {
    localhost;
};

dnssec-policy "persistent-rsasha256" {
    keys {
        ksk lifetime unlimited algorithm rsasha256;
        zsk lifetime unlimited algorithm rsasha256 1024;
    };
};

dnssec-policy "persistent-ecdsa256" {
    keys {
        ksk lifetime unlimited algorithm 13;
        zsk lifetime unlimited algorithm 13;
    };
};

// We are a standalone test server for jamm.ie
zone "jamm.ie" {
    type primary;
    update-policy local;
    file "jamm.ie/db.jamm.ie";
    key-directory "jamm.ie/";
    masterfile-format text;
    dnssec-policy persistent-rsasha256;
    notify explicit;
    allow-transfer {
        local-requesters;
    };
};

// We are a standalone test server for no8.be
zone "no8.be" {
    type primary;
    update-policy local;
    file "no8.be/db.no8.be";
    key-directory "no8.be/";
    masterfile-format text;
    dnssec-policy persistent-ecdsa256;
    notify explicit;
    allow-transfer {
        local-requesters;
    };
};
-------------- next part --------------
managed-keys-zone: loaded serial 0
zone no8.be/IN: loaded serial 2022110700 (DNSSEC signed)
zone jamm.ie/IN: loaded serial 2022110700 (DNSSEC signed)
zone no8.be/IN: reconfiguring zone keys
keymgr: DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) created for policy persistent-ecdsa256
keymgr: DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) created for policy persistent-ecdsa256
Fetching no8.be/ECDSAP256SHA256/42593 (KSK) from key repository.
DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now published
DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now active
Fetching no8.be/ECDSAP256SHA256/5030 (ZSK) from key repository.
DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now published
DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now active
zone no8.be/IN: next key event: 07-Nov-2022 12:17:13.995
zone jamm.ie/IN: reconfiguring zone keys
keymgr: retire DNSKEY jamm.ie/RSASHA256/3078 (ZSK)
DNSKEY jamm.ie/RSASHA256/17103 (ZSK) is now active
Removing expired key 3078/RSASHA256 from DNSKEY RRset.
DNSKEY jamm.ie/RSASHA256/3078 (ZSK) is now deleted
CDS for key jamm.ie/RSASHA256/47680 is now published
CDNSKEY for key jamm.ie/RSASHA256/47680 is now published
zone jamm.ie/IN: next key event: 07-Nov-2022 10:17:14.023
all zones loaded
running
managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.
resolver priming query complete: success
zone jamm.ie/IN: reconfiguring zone keys
zone jamm.ie/IN: next key event: 07-Nov-2022 11:17:14.026
zone jamm.ie/IN: reconfiguring zone keys
zone jamm.ie/IN: next key event: 07-Nov-2022 12:17:14.028

More information about the bind-users mailing list