[KASP] Key rollover
adrien sipasseuth
sipasseuth.adrien at gmail.com
Wed Jan 25 08:54:03 UTC 2023
Hi Matthijs ,
my next key was generated yesterday as expected by policy (parameter
"publish-safety 3d;"). My current key has been deleted from Bind (according
to the logs) but it still exists on my primary server (I can still find the
key and its status file).
When I do a "dig DNSKEY ..." from the primary server I only see the next
KSK.
I published the DS of my next key at my registrar and I notified Bind that
it was done via the command: rndc dnssec -checkds -key 24167 published
***********************'
In the logs here is what I have :
janv. 24 17:55:03 named[1197184]: keymgr: DNSKEY
********************/ECDSAP256SHA256/24167 (KSK) created for policy
client-generique
janv. 24 17:55:03 named[1197184]: DNSKEY
********************/ECDSAP256SHA256/46358 (KSK) is now deleted
janv. 24 17:55:03 named[1197184]: Fetching
********************/ECDSAP256SHA256/24167 (KSK) from key repository.
janv. 24 17:55:03 named[1197184]: DNSKEY
********************/ECDSAP256SHA256/24167 (KSK) is now published
janv. 24 17:55:03 named[1197184]: zone ********************/IN (signed):
next key event: 24-Jan-2023 19:00:03.893
janv. 24 17:55:03 named[1197184]: zone ********************/IN (signed):
sending notifies (serial 2022123004)
......<not relevant logs>.....
janv. 24 17:55:08 named[1197184]: zone ********************/IN (signed):
sending notifies (serial 2022123005)
janv. 24 19:00:03 named[1197184]: zone ********************/IN (signed):
reconfiguring zone keys
janv. 24 19:00:03 named[1197184]: keymgr: purge DNSKEY
********************/ECDSAP256SHA256/13323 (ZSK) according to policy
client-generique
janv. 24 19:00:03 named[1197184]: DNSKEY
********************/ECDSAP256SHA256/24167 (KSK) is now inactive
janv. 24 19:00:03 named[1197184]: zone ********************/IN (signed):
next key event: 25-Jan-2023 17:55:03.897
janv. 25 09:11:34 named[1197184]: received control channel command 'dnssec
-checkds -key 24167 published ********************'
janv. 25 09:11:34 named[1197184]: keymgr: checkds DS for key
********************/ECDSAP256SHA256/24167 seen published at Wed Jan 25
09:11:34 2023
janv. 25 09:11:34 named[1197184]: zone ********************/IN (signed):
reconfiguring zone keys
janv. 25 09:11:34 named[1197184]: DNSKEY
********************/ECDSAP256SHA256/24167 (KSK) is now inactive
janv. 25 09:11:34 named[1197184]: zone ********************/IN (signed):
next key event: 25-Jan-2023 17:55:03.026
janv. 25 09:19:02 named[1197184]: received control channel command 'dnssec
-status ********************'
janv. 25 09:19:59 named[1197184]: zone ********************/IN (signed):
reconfiguring zone keys
janv. 25 09:19:59 named[1197184]: DNSKEY
********************/ECDSAP256SHA256/24167 (KSK) is now inactive
janv. 25 09:19:59 named[1197184]: zone ********************/IN (signed):
next key event: 25-Jan-2023 17:55:03.062
When I look at the state files of my 2 KSKs, I always have "DSState:
hidden", I can't find any documentation on it, how Bind decides that the DS
is hidden? Because my primary server is hidden (not exposed to internet)?
Here is a "dig DS ..." I can see my current key :
...
***********************. 104974 IN DS 46358 13 2 (
0715AC00A9C4349AA627F098A20B6716EE7334CBE261
34D6281B36453C99D6C2 )
....
If it can help , here are the contents of the status files of my 2 KSKs :
KSK current but deleted (according to Bind logs):
; This is the state of key 46358, for ***********************
Algorithm: 13
Length: 256
Lifetime: 604800
Predecessor: 28887
Successor: 24167
KSK: yes
ZSK: no
Generated: 20230117165503 (Tue Jan 17 17:55:03 2023)
Published: 20230117165503 (Tue Jan 17 17:55:03 2023)
Active: 20230120180003 (Fri Jan 20 19:00:03 2023)
Retired: 20230127180003 (Fri Jan 27 19:00:03 2023)
Removed: 20230131190003 (Tue Jan 31 20:00:03 2023)
DSPublish: 20230125082125 (Wed Jan 25 09:21:25 2023)
PublishCDS: 20230120180003 (Fri Jan 20 19:00:03 2023)
DNSKEYChange: 20230124180003 (Tue Jan 24 19:00:03 2023)
KRRSIGChange: 20230124180003 (Tue Jan 24 19:00:03 2023)
DSChange: 20230117165503 (Tue Jan 17 17:55:03 2023)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
The following KSK was generated, published at my registrar, notified to
Bind via the command "rndc dnssec -checkds..." and visible via a "dig
DNSKEY..." :
; This is the state of key 24167, for ***********************
Algorithm: 13
Length: 256
Lifetime: 604800
Predecessor: 46358
KSK: yes
ZSK: no
Generated: 20230124165503 (Tue Jan 24 17:55:03 2023)
Published: 20230124165503 (Tue Jan 24 17:55:03 2023)
Active: 20230127180003 (Fri Jan 27 19:00:03 2023)
Retired: 20230203180003 (Fri Feb 3 19:00:03 2023)
Removed: 20230207190003 (Tue Feb 7 20:00:03 2023)
DSPublish: 20230125082155 (Wed Jan 25 09:21:55 2023)
PublishCDS: 20230127180003 (Fri Jan 27 19:00:03 2023)
DNSKEYChange: 20230124165503 (Tue Jan 24 17:55:03 2023)
KRRSIGChange: 20230124165503 (Tue Jan 24 17:55:03 2023)
DSChange: 20230124165503 (Tue Jan 24 17:55:03 2023)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
Regards Adrien
Le mar. 24 janv. 2023 à 15:18, adrien sipasseuth <
sipasseuth.adrien at gmail.com> a écrit :
> Hello,
>
> I don't why DSState: hidden, it's ok with some online check tools like :
> - https://dnssec-analyzer.verisignlabs.com/
> - https://zonemaster.net/fr/run-test
>
> my master is hidden, it can be related ? How i can debug this DSState:
> hidden ?
>
> I found this command to check actual status : rndc dnssec -status
> **********
> This is the output :
> ....
> key: 46358 (ECDSAP256SHA256), KSK
> published: yes - since Tue Jan 17 17:55:03 2023
> key signing: yes - since Tue Jan 17 17:55:03 2023
>
> Next rollover scheduled on Tue Jan 24 17:55:03 2023
> - goal: omnipresent
> - dnskey: omnipresent
> - ds: hidden
> - key rrsig: omnipresent
> ...
>
> Regards Adrien
>
> Le mar. 24 janv. 2023 à 09:27, Matthijs Mekking <matthijs at isc.org> a
> écrit :
>
>> Hi Adrien,
>>
>> I don't think it is fine yet. I see in your state file the following line:
>>
>> > DSState: hidden
>>
>> This means the DS is not published according to BIND.
>>
>> > From my understanding, the second KSK should appear because I put the
>> > parameter "publish-safety 3d;" that is to say 3 days before the
>> > expiration ("retired") of the key in use. is that right?
>>
>> In addition to the DNSKEY TTL yes. The successor KSK should be
>> pre-published the sum of dnskey-ttl, publish-safety, and
>> zone-propagation-delay, prior to its retirement.
>>
>> Best regards,
>>
>> Matthijs
>>
>> On 1/24/23 09:08, adrien sipasseuth wrote:
>> > Hello Matthijs,
>> >
>> > Indeed I had not published the DS at my registar because I thought that
>> > the second KSK would have appeared anyway at the time of the rollover.
>> >
>> > I published the DS yesterday and I reported to BIND with the command
>> you
>> > gave me. I didn't find any error in the logs so everything must have
>> > been fine!
>> >
>> > here is the state file of the KSK in use :
>> > ; This is the state of key 46358, for ***********************.
>> > Algorithm: 13
>> > Length: 256
>> > Lifetime: 604800
>> > Predecessor: 28887
>> > KSK: yes
>> > ZSK: no
>> > Generated: 20230117165503 (Tue Jan 17 17:55:03 2023)
>> > Published: 20230117165503 (Tue Jan 17 17:55:03 2023)
>> > Active: 20230120180003 (Fri Jan 20 19:00:03 2023)
>> > Retired: 20230127180003 (Fri Jan 27 19:00:03 2023)
>> > Removed: 20230131190003 (Tue Jan 31 20:00:03 2023)
>> > DSPublish: 20230123081513 (Mon Jan 23 09:15:13 2023)
>> > PublishCDS: 20230120180003 (Fri Jan 20 19:00:03 2023)
>> > DNSKEYChange: 20230120180003 (Fri Jan 20 19:00:03 2023)
>> > KRRSIGChange: 20230120180003 (Fri Jan 20 19:00:03 2023)
>> > DSChange: 20230117165503 (Tue Jan 17 17:55:03 2023)
>> > DNSKEYState: omnipresent
>> > KRRSIGState: omnipresent
>> > DSState: hidden
>> > GoalState: omnipresent
>> >
>> > From my understanding, the second KSK should appear because I put the
>> > parameter "publish-safety 3d;" that is to say 3 days before the
>> > expiration ("retired") of the key in use. is that right?
>> >
>> > that is to say tonight at 7pm, I will see tomorrow if this one appears.
>> >
>> > regards, Adrien
>> >
>> >
>> >
>> > Le jeu. 19 janv. 2023 à 09:13, Matthijs Mekking <matthijs at isc.org
>> > <mailto:matthijs at isc.org>> a écrit :
>> >
>> > Hi Adrien,
>> >
>> > Without any logs or key **state** files, I can't really tell what is
>> > going on.
>> >
>> > My only gut feeling is that you have never signaled BIND 9 that the
>> DS
>> > has been published. You can run 'rndc dnssec -checkds -key 12345
>> > published example.com <http://example.com>' or set up
>> > parental-agents to do it for you.
>> >
>> > Best regards,
>> >
>> > Matthijs
>> >
>> > On 1/17/23 09:38, adrien sipasseuth wrote:
>> > > Hello,
>> > >
>> > > I put the management of DNSSEC with KASP, the zone is well
>> > functional.
>> > > (dig with "AD" flag etc)
>> > >
>> > > On the other hand, I can't see when the key rollover period for
>> > my KSK
>> > > is over (2 KSKs with a dig DNSKEY...)
>> > >
>> > > Without KASP, it was easy because I generated the second KSK key
>> but
>> > > with KASP, it is managed automatically.
>> > >
>> > > So, I have to adapt my scripts to check that there is :
>> > > - a used KSK key and a next KSK key
>> > > - Or only one KSK key used (if we are not in rollover phase)
>> > >
>> > > Except that with my current policy, I never see 2 KSKs via a "dig
>> > > DNSKEY...".
>> > > here is my policy :
>> > >
>> > > dnssec-policy "test" {
>> > > keys {
>> > > ksk lifetime P7D algorithm ecdsa256;
>> > > zsk lifetime P3D algorithm ecdsa256;
>> > > };
>> > > purge-keys 1d;
>> > > publish-safety 3d;
>> > > retire-safety 3d;
>> > > };
>> > >
>> > > I see either my KSK in use or my next KSK (via "dig DNSKEY...")
>> but
>> > > never both at the same time.
>> > >
>> > > Is this a normal behavior or am I doing it wrong?
>> > >
>> > > Regards, Adrien
>> > >
>> > --
>> > Visit https://lists.isc.org/mailman/listinfo/bind-users
>> > <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe
>> > from this list
>> >
>> > ISC funds the development of this software with paid support
>> > subscriptions. Contact us at https://www.isc.org/contact/
>> > <https://www.isc.org/contact/> for more information.
>> >
>> >
>> > bind-users mailing list
>> > bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> > <https://lists.isc.org/mailman/listinfo/bind-users>
>> >
>> >
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230125/ef1c8805/attachment-0001.htm>
More information about the bind-users
mailing list