bind9.9.0rc1 DNSSEC key rollover failure

Sun Jan 8 21:37:38 UTC 2012

A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2. See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon.

See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the jaspain.net AAAA, A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned with the new ZSK 42152.

The metadata for ZSK 35297 calls for it to have become inactive on 12/12/2011 (at zero hours UTC) and for it to be deleted on 1/16/2012. The metadata for the new ZSK 42152 calls for it to have been published on 9/8/2011 and activated on 12/11/2011. The jaspain.net SOA RRSet was signed by ZSK 35297 on 12/10/2011 and by ZSK 42152 at the same time. Following today's upgrade to RC1 the signature by ZSK 35297 on the SOA RRSet was removed.

As I understand it, bind should be resigning RRSets automatically to prevent such signature expirations.

This particular zone is configured for in-line signing from a locally stored copy of the unsigned zone:

zone "jaspain.net" {
        type master;
        file "/var/lib/bind/jaspain.net/jaspain.net.db";
        key-directory "/var/lib/bind/jaspain.net";
        update-policy local;
        auto-dnssec maintain;
        inline-signing yes;
        also-notify { 2001:4870:20ca:158:14ff:7695:9632:e9ec; };
};

Thanks for any ideas you may have about what has gone wrong.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120108/35780d61/attachment.html>