How to introduce automatic signing for existing signed zones?
Matthijs Mekking
matthijs at isc.org
Mon Nov 7 13:04:32 UTC 2022
Hi Niall,
You need to share the dnssec-policy for no8.be in order to investigate
why it doesn't show the expected behavior, but I suspect that the policy
did not match the properties for the existing DNSSEC keys completely.
Best regards,
Matthijs
On 07-11-2022 12:40, Niall O'Reilly wrote:
> I have a couple of zones which I want to migrate from CLI-driven
> signing to BIND9 automatic signing, while avoiding any change to
> the respective parent-zone DS RR.
>
> Status quo ante:
>
> - https://dnsviz.net/d/no8.be/dnssec/
> separate KSK, ZSK; both using alg 13
> - https://dnsviz.net/d/jamm.ie/dnssec/
> 2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8
>
> Preparation:
>
> - Set up minimal stand-alone instance of BIND9 named,
> configured with a **dnssec-policy** for each algorithm,
> matching properties of existing DNSSEC keys, and with
> `lifetime unlimited`;
> - Deliver current key files and recently-signed copy of
> zone files to this instance.
>
> Expected behaviour on starting named:
>
> - Zones are loaded;
> - Spare ZSK for jamm.ie is retired;
> - Other keys for each zone are accepted and retained;
> - A CDS RR is generated for each zone, matching the current DS RR.
>
> Observed behaviour:
>
> - `named -v` shows `BIND 9.18.8 (Stable Release) <id:35f5d35>`;
> - Zones are loaded;
> - Spare ZSK for jamm.ie is retired;
> - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained;
> - A CDS RR is published for jamm.ie, matching the current DS RR;
> - ECDSAP256SHA256 keys (for no8.be) are not accepted;
> - New ECDSAP256SHA256 keys are created for no8.be;
> - No CDS RR is generated for no8.be.
>
> Unless I'm missing something, there seems to be a discrepancy
> according to key type between the handling of RSA/SHA-256 and
> ECDSAP256SHA256 keys respectively.
>
> /Niall
>
>
More information about the bind-users
mailing list