KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive Keys Disappear?)
Mark Andrews
marka at isc.org
Mon Oct 9 01:11:59 UTC 2023
> On 8 Oct 2023, at 02:16, Eddie Rowe <Eddie.Rowe at werdev.com> wrote:
>
> When performing a key rollover using the KASP I continue to see the DNSKEY IMMEDIATELY disappear rather than staying active for the appropriate period of time with the test zone having a 3 hour TTL. I first encountered this behavior with RHEL 9.2 with BIND 9.16.23-RH (Extended Support Version) with a ZSK key in testing and now with Fedora and 9.18.19 with as generic as a setup that you can have with the default DNSSEC policy. I know the manner that rollovers are handled with the default policy may be different, but I still do not think the DNSKEY should disappear immediately on rollover since it is set to being inactive.
>
> Said another way...why do keys that are set to an inactive state by the KASP process immediately disappear as they should still be in the zone but no longer used to sign data?
>
> Steps to Reproduce:
> 1. Setup generic BIND installation with a test zone with default DNSSEC policy with inline signing.
> 2. Run dig to see the DNSKEY.
> 3. Run the rollover command.
> 4. Run dig to see the DNSKEY - note the original DNSKEY is gone and the new one appears.
Given the parent zone doesn’t have DS records for the zone and there is no private trust anchor published,
there is no harm in changing the DNSKEYs immediately. Try again and this time tell named that there are
DS records published for the zone.
rndc dnssec -keyid value -checkds published zone
This is also how you tell named about private trust anchors which are equivalent to publishing DS records
in the parent.
> Expected Result:
> 1. Two DNSKEY values immediately after the rollover.
> 2. The original DNSKEY should be removed from cache at a later time based on the TTL of the zone and the KASP handles this. These date/times appear in the .key and .state after the rollover but the key appears to no longer be available which I believe cause a DNSSEC failure.
>
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# named -v
> BIND 9.18.19 (Extended Support Version) <id:>
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# yum info bind
> Last metadata expiration check: 1:34:57 ago on Fri 06 Oct 2023 04:14:09 PM CDT.
> Installed Packages
> Name : bind
> Epoch : 32
> Version : 9.18.19
> Release : 1.fc38
> Architecture : x86_64
> Size : 1.6 M
> Source : bind-9.18.19-1.fc38.src.rpm
> Repository : @System
> From repo : updates
> Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
> URL : https://www.isc.org/downloads/bind/
> License : MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
> Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS
> : (Domain Name System) protocols. BIND includes a DNS server (named),
> : which resolves host names to IP addresses; a resolver library
> : (routines for applications to use when interfacing with DNS); and
> : tools for verifying that the DNS server is operating properly.
> ---------------------------------------------------------------------------------
> [root at localhost ~]# dig @localhost dnssec.example dnskey +multi
>
> ; <<>> DiG 9.18.19 <<>> @localhost dnssec.example dnskey +multi
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11680
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 9e07c9760c4d71fc0100000065208d2a6696e86824aebb8e (good)
> ;; QUESTION SECTION:
> ;dnssec.example. IN DNSKEY
>
> ;; ANSWER SECTION:
> dnssec.example. 3600 IN DNSKEY 257 3 13 (
> KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1w
> GqQipJ4ARhlwALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==
> ) ; KSK; alg = ECDSAP256SHA256 ; key id = 22645
>
> ;; Query time: 5 msec
> ;; SERVER: ::1#53(localhost) (UDP)
> ;; WHEN: Fri Oct 06 17:41:46 CDT 2023
> ;; MSG SIZE rcvd: 151
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# cat *22645.key
> ; This is a key-signing key, keyid 22645, for dnssec.example.
> ; Created: 20231006172923 (Fri Oct 6 12:29:23 2023)
> ; Publish: 20231006172923 (Fri Oct 6 12:29:23 2023)
> ; Activate: 20231006193423 (Fri Oct 6 14:34:23 2023)
> ; SyncPublish: 20231006193423 (Fri Oct 6 14:34:23 2023)
> dnssec.example. 3600 IN DNSKEY 257 3 13 KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1wGqQipJ4ARhlw ALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# cat *22645.state
> ; This is the state of key 22645, for dnssec.example.
> Algorithm: 13
> Length: 256
> Lifetime: 0
> Predecessor: 12805
> KSK: yes
> ZSK: yes
> Generated: 20231006172923 (Fri Oct 6 12:29:23 2023)
> Published: 20231006172923 (Fri Oct 6 12:29:23 2023)
> Active: 20231006193423 (Fri Oct 6 14:34:23 2023)
> PublishCDS: 20231006193423 (Fri Oct 6 14:34:23 2023)
> DNSKEYChange: 20231006193423 (Fri Oct 6 14:34:23 2023)
> ZRRSIGChange: 20231006172923 (Fri Oct 6 12:29:23 2023)
> KRRSIGChange: 20231006193423 (Fri Oct 6 14:34:23 2023)
> DSChange: 20231006172923 (Fri Oct 6 12:29:23 2023)
> DNSKEYState: omnipresent
> ZRRSIGState: rumoured
> KRRSIGState: omnipresent
> DSState: hidden
> GoalState: omnipresent
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# rndc dnssec -rollover -key 22645 dnssec.example
> Key 22645: Rollover scheduled on 06-Oct-2023 17:46:52.000
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# dig @localhost dnssec.example dnskey +multi
>
> ; <<>> DiG 9.18.19 <<>> @localhost dnssec.example dnskey +multi
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15909
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: ad6ddb84be53f55f0100000065208e6371e7a01ce9319ea9 (good)
> ;; QUESTION SECTION:
> ;dnssec.example. IN DNSKEY
>
> ;; ANSWER SECTION:
> dnssec.example. 3600 IN DNSKEY 257 3 13 (
> CQNMEeneh3kEmKSTUYp6Baujt0Yxmz7Pl/2y/lekLtWg
> 8rjsxcgn8XYX+KFfglxgVNWoGMYYVtYFZsJBS5AOyg==
> ) ; KSK; alg = ECDSAP256SHA256 ; key id = 37397
>
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(localhost) (UDP)
> ;; WHEN: Fri Oct 06 17:46:59 CDT 2023
> ;; MSG SIZE rcvd: 151
>
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# cat *22645.key
> ; This is a key-signing key, keyid 22645, for dnssec.example.
> ; Created: 20231006172923 (Fri Oct 6 12:29:23 2023)
> ; Publish: 20231006172923 (Fri Oct 6 12:29:23 2023)
> ; Activate: 20231006193423 (Fri Oct 6 14:34:23 2023)
> ; Inactive: 20231007005152 (Fri Oct 6 19:51:52 2023)
> ; Delete: 20231017015652 (Mon Oct 16 20:56:52 2023)
> ; SyncPublish: 20231006193423 (Fri Oct 6 14:34:23 2023)
> dnssec.example. 3600 IN DNSKEY 257 3 13 KHL+WEwOQA3iK5hTllDiZEZGsj3muffHMtFQLVz7yf1wGqQipJ4ARhlw ALPRlPJNaNRBmOj5bJZwTqYXglH9cQ==
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# cat *22645.state
> ; This is the state of key 22645, for dnssec.example.
> Algorithm: 13
> Length: 256
> Lifetime: 19049
> Predecessor: 12805
> Successor: 37397
> KSK: yes
> ZSK: yes
> Generated: 20231006172923 (Fri Oct 6 12:29:23 2023)
> Published: 20231006172923 (Fri Oct 6 12:29:23 2023)
> Active: 20231006193423 (Fri Oct 6 14:34:23 2023)
> Retired: 20231007005152 (Fri Oct 6 19:51:52 2023)
> Removed: 20231017015652 (Mon Oct 16 20:56:52 2023)
> PublishCDS: 20231006193423 (Fri Oct 6 14:34:23 2023)
> DNSKEYChange: 20231006224652 (Fri Oct 6 17:46:52 2023)
> ZRRSIGChange: 20231006224652 (Fri Oct 6 17:46:52 2023)
> KRRSIGChange: 20231006224652 (Fri Oct 6 17:46:52 2023)
> DSChange: 20231006172923 (Fri Oct 6 12:29:23 2023)
> DNSKEYState: unretentive
> ZRRSIGState: unretentive
> KRRSIGState: unretentive
> DSState: hidden
> GoalState: hidden
>
>
> [root at localhost ~]# cat /etc/named.conf
> options
> {
> directory "/var/named";
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> secroots-file "data/named.secroots";
> recursing-file "data/named.recursing";
>
> dnssec-validation auto;
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> include "/etc/crypto-policies/back-ends/bind.config";
> };
>
> logging
> {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "/var/named/named.ca";
> };
>
> zone "dnssec.example" {
> type primary;
> file "dnssec.example.db";
> dnssec-policy default;
> inline-signing yes;
> key-directory "keys/dnssec.example";
> };
> ---------------------------------------------------------------------------------
> [root at localhost dnssec.example]# cat /var/named/dnssec.example.db
> $ORIGIN dnssec.example.
> $TTL 3h
>
> @ IN SOA ns01.dnssec.example. postmaster.dnssec.example. (
> 2023100601 ; Serial
> 3h ; Refresh after 3 hours
> 1h ; Retry after 1 hour
> 1w ; Expire after 1 week
> 1h ) ; Negative caching TTL of 1 hour
>
> NS ns01.dnssec.example.
>
> ; Addresses - ORIGIN definition allows us to not have to type FQDN as well as the trailing .
>
> ns01 A 10.1.2.3
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list