dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)
Sebastian Wiesinger
sebastian at karotte.org
Fri Jun 2 11:53:15 UTC 2023
Hi,
I recently moved from auto-dnssec to dnssec-policy and after the
switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
immediately got removed which lead to a bogus DNSSEC for the zone. I
was expecting a rollover procedure.
BIND version is 9.18.12 (Debian Backports).
My question is, did I do something wrong? What would have been the
right way to do it? I noticed that the DS state is "hidden" before and
after the switch of the dnssec-policy but I found no way to change
that.
Here is config and logs of the change:
Old and new policy are:
dnssec-policy "rsa" {
keys {
ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk key-directory lifetime P60D algorithm rsasha256 1024;
};
};
dnssec-policy "ecdsa-csk" {
keys {
csk key-directory lifetime unlimited algorithm 13;
};
};
Zone definition is:
zone "sub.my.zone" {
type master;
file "/etc/bind/dynamic-zones/sub.my.zone/sub.my.zone";
allow-transfer { localhost; ns2; };
key-directory "/etc/bind/dynamic-zones/sub.my.zone";
dnssec-policy "ecdsa-csk";
parental-agents { 127.12.12.13; };
allow-update { key sub.my.zone_api.; };
};
Jun 02 13:26:19 alita named[1001022]: general: notice: zone sub.my.zone/IN/default: checkds: set 1 parentals
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: reconfiguring zone keys
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/54096 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/56781 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/13786 (KSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) created for policy ecdsa-csk
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/56781 (ZSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/13786 (KSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: Fetching sub.my.zone/ECDSAP256SHA256/36745 (CSK) from key repository.
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now published
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now active
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: next key event: 02-Jun-2023 13:31:19.338
Jun 02 13:26:19 alita named[1001022]: notify: info: zone sub.my.zone/IN/default: sending notifies (serial 2014014053)
DNSSEC status before:
dnssec-policy: rsa
current time: Fri Jun 2 13:23:54 2023
key: 54096 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- zone rrsig: unretentive
key: 56781 (RSASHA256), ZSK
published: yes - since Fri Jun 2 11:15:23 2023
zone signing: yes - since Fri Jun 2 12:20:23 2023
Next rollover scheduled on Tue Aug 1 10:15:23 2023
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: rumoured
key: 13786 (RSASHA256), KSK
published: yes - since Wed Jan 22 22:42:33 2014
key signing: yes - since Wed Jan 22 22:42:33 2014
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- key rrsig: omnipresent
DNSSEC status after:
dnssec-policy: ecdsa-csk
current time: Fri Jun 2 13:32:23 2023
key: 54096 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: unretentive
- key rrsig: hidden
key: 56781 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: unretentive
- ds: unretentive
- zone rrsig: unretentive
- key rrsig: unretentive
key: 36745 (ECDSAP256SHA256), CSK
published: yes - since Fri Jun 2 13:26:19 2023
key signing: yes - since Fri Jun 2 13:26:19 2023
zone signing: yes - since Fri Jun 2 13:26:19 2023
No rollover scheduled
- goal: omnipresent
- dnskey: rumoured
- ds: hidden
- zone rrsig: rumoured
- key rrsig: rumoured
key: 13786 (RSASHA256), KSK
published: no
key signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: unretentive
- key rrsig: hidden
Best Regards
Sebastian
--
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
More information about the bind-users
mailing list