9.7.0a3: dnssec-signzone signs with passive keys?

Hauke Lampe list+bindusers at hauke-lampe.de
Wed Sep 16 20:24:15 UTC 2009 


I currently explore the new DNSKEY metadata and dnssec-signzone -S with
BIND 9.7.0a3. This feature definitely helps making key management easier
and will motivate more operators to sign their zones. Thank you for that.


For this test, I created a zone with one manually timed KSK, one active
ZSK and another published ZSK with an activation date in the future.

When I sign the zone from an unsigned zone file, dnssec-signzone works
as expected and signs the records only with the active ZSK.

Re-signing the signed zone file, however, also includes signatures from
the passive ZSK, *unless* I remove the DNSKEY records from the zone file
before signing. I guess this is due to the keys already in the signed
zone file overriding the -S switch:

|    key
|        Specify which keys should be used to sign the zone.
|        If no keys are specified, then the zone will be examined for
|        DNSKEY records at the zone apex. If these are found and
|        there are matching private keys, in the current directory,
|        then these will be used for signing.

(No "Fetching [...] from key repository" when re-signing)


My question is: Is this the supposed behaviour (ie. keys already
included in a zone don't have their metadata checked, so I would need to
remove DNSKEY records), did I miss an option to pass to dnssec-signzone
or is it likely to change for the next release?



Hauke.


dnssec-settime/signzone output:

KSK:

| Kkeyroll.dnstest.hauke-lampe.de.+005+07849.key
|
| Created: Wed Sep 16 04:23:39 2009
| Publish: UNSET
| Activate: UNSET
| Revoke: UNSET
| Unpublish: UNSET
| Delete: UNSET

Active ZSK:

| Kkeyroll.dnstest.hauke-lampe.de.+005+42630.key
|
| Created: Wed Sep 16 21:19:34 2009
| Publish: Wed Sep 16 21:19:34 2009
| Activate: Wed Sep 16 21:19:52 2009
| Delete: Tue Oct 13 21:19:34 2009

Passive ZSK:

| Kkeyroll.dnstest.hauke-lampe.de.+005+07701.key
|
| Created: Wed Sep 16 21:21:35 2009
| Publish: Wed Sep 16 21:21:35 2009
| Activate: Tue Sep 29 21:21:35 2009
| Delete: Tue Oct 13 21:21:35 2009

Signing the zone from an unsigned zone file:

| + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T
230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed db.keyroll
| Fetching KSK 7849/RSASHA1 from key repository
| Fetching ZSK 42630/RSASHA1 from key repository
| Fetching ZSK 7701/RSASHA1 from key repository
| dnssec-signzone: debug 1: decrement_reference: delete from rbt:
0xb7c83060 keyroll.dnstest.hauke-lampe.de
| dnssec-signzone: debug 1: calling free_rbtdb(.)
| dnssec-signzone: debug 1: done free_rbtdb(.)
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC:
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY:
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7849
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA:
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS:
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| Verifying the zone using the following algorithms: RSASHA1.
| Zone signing complete:
| Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by
| db.keyroll.signed
| dnssec-signzone: debug 1: calling
free_rbtdb(keyroll.dnstest.hauke-lampe.de)
| dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de)

Re-Signing:

| + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T
230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed
db.keyroll.signed
| dnssec-signzone: debug 1: decrement_reference: delete from rbt:
0xb7c91060 keyroll.dnstest.hauke-lampe.de
| dnssec-signzone: debug 1: calling free_rbtdb(.)
| dnssec-signzone: debug 1: done free_rbtdb(.)
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 dropped - failed to verify
| dnssec-signzone:        resigning with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7701
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7701
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7701
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/7849 retained
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7701
| Verifying the zone using the following algorithms: RSASHA1.
| Zone signing complete:
| Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by
| db.keyroll.signed
| dnssec-signzone: debug 1: calling
free_rbtdb(keyroll.dnstest.hauke-lampe.de)
| dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de)

Re-Signing with DNSKEY records removed:

| + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T
230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed
db.keyroll.signed
| Fetching KSK 7849/RSASHA1 from key repository
| Fetching ZSK 42630/RSASHA1 from key repository
| Fetching ZSK 7701/RSASHA1 from key repository
| dnssec-signzone: debug 1: decrement_reference: delete from rbt:
0xb7bcb060 keyroll.dnstest.hauke-lampe.de
| dnssec-signzone: debug 1: calling free_rbtdb(.)
| dnssec-signzone: debug 1: done free_rbtdb(.)
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY:
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/7849
| dnssec-signzone:        signing with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 dropped - failed to verify
| dnssec-signzone:        resigning with dnskey
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained
| dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC:
| dnssec-signzone:        rrsig by
keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained
| Verifying the zone using the following algorithms: RSASHA1.
| Zone signing complete:
| Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by
| db.keyroll.signed
| dnssec-signzone: debug 1: calling
free_rbtdb(keyroll.dnstest.hauke-lampe.de)
| dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de)




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090916/1df54629/attachment.bin>

More information about the bind-users mailing list