ZSK rollover weirdness

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Fri Sep 6 16:28:05 UTC 2013 

Getting resports of people with certain ISPs (like comcast) can't resolve my domains now.

Did a dnsvis on my domain and the error is:

RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a revoked key.

Which makes no sense, because I have no key with that id in my key repository.

The files in my repository are:

Kksu.edu.+008+09339.key       Kksu.edu.+008+09339.private
Kksu.edu.+008+14565.key       Kksu.edu.+008+14565.private
Kksu.edu.+008+29826.key       Kksu.edu.+008+29826.private
Kksu.edu.+008+31279.key       Kksu.edu.+008+31279.private
Kksu.edu.+008+44538.key       Kksu.edu.+008+44538.private
Kksu.edu.+008+51720.key       Kksu.edu.+008+51720.private
Kksu.edu.+008+51909.key       Kksu.edu.+008+51909.private

Which represents all the Alg 8 keys since we switched to it from 7 on Jun 1st.  Haven't decided on adding to current automation to clean up the old keys, or find different automation.  The old 7 keys weren't deleted, I just moved aside (my record that we went signed on Jul 28, 2010, and first delegated subdomain was signed Nov 3, 2011....even though it didn't work correctly until last December, when I upgraded from 9.7.6-P4 to 9.9.2-P1, since the main feature of the subdomain is a wildcard record NSEC3...the mailer is supposed masquerade everything in the subdomain as the subdomain, but sometimes host names leak out... :) 

But, dnssec-signzone says this:

Fetching KSK 31279/RSASHA256 from key repository.
Fetching ZSK 14693/RSASHA256 from key repository.
Fetching ZSK 44538/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 1 revoked
ksu.edu.signed

The current ZSK is 44538

; This is a zone-signing key, keyid 44538, for ksu.edu.
; Created: 20130901090000 (Sun Sep  1 04:00:00 2013)
; Publish: 20130901090007 (Sun Sep  1 04:00:07 2013)
; Activate: 20130901090007 (Sun Sep  1 04:00:07 2013)
; Revoke: 20131202090000 (Mon Dec  2 03:00:00 2013)
; Inactive: 20131216090000 (Mon Dec 16 03:00:00 2013)
; Delete: 20131230090000 (Mon Dec 30 03:00:00 2013)
ksu.edu. IN DNSKEY 256 3 8 AwEAAet97mpbg2GBaA5EhJxPbygYOFIrrjLSV/dAvyEDRSdcyqMjfZXt qQNj9lw0GY9Hc9s8vi3W2NApa2z3Ky+OO6SEMhsubN0bLnE76SAL01kW KZ8yrs/tu6/Rr7+NEB4Wa978pyosLIHtzF9WYlrY8bcPhQT21bgYonZJ R8r+6EXF

And, the prior ZSK was 14565

; This is a zone-signing key, keyid 14565, for ksu.edu.
; Created: 20130601090000 (Sat Jun  1 04:00:00 2013)
; Publish: 20130601090007 (Sat Jun  1 04:00:07 2013)
; Activate: 20130601090007 (Sat Jun  1 04:00:07 2013)
; Revoke: 20130901090000 (Sun Sep  1 04:00:00 2013)
; Inactive: 20130915090000 (Sun Sep 15 04:00:00 2013)
; Delete: 20130929090000 (Sun Sep 29 04:00:00 2013)
ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB

I'm running bind-9.9.3-P2

Where is 14693 coming from?  And, how do I get it work right.

This problem also affects my other signed domains.

Fetching ZSK 38373/RSASHA256 from key repository.
Fetching ZSK 43247/RSASHA256 from key repository.
Fetching KSK 52261/RSASHA256 from key repository.
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 1 revoked
k-state.edu.signed

There is no 43247

Kk-state.edu.+008+06129.key       Kk-state.edu.+008+06129.private
Kk-state.edu.+008+22785.key       Kk-state.edu.+008+22785.private
Kk-state.edu.+008+23166.key       Kk-state.edu.+008+23166.private
Kk-state.edu.+008+38373.key       Kk-state.edu.+008+38373.private
Kk-state.edu.+008+41019.key       Kk-state.edu.+008+41019.private
Kk-state.edu.+008+43119.key       Kk-state.edu.+008+43119.private
Kk-state.edu.+008+52261.key       Kk-state.edu.+008+52261.private

The prior ZSK was 43119

None of the Alg 7 keys have these IDs as well.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library

More information about the bind-users mailing list