changing NSEC3 salt

Graham Clinch g.clinch at lancaster.ac.uk
Mon Mar 10 19:52:28 UTC 2014 

> On Mon, Mar 10, 2014 at 12:38:34PM +0000, Graham Clinch wrote:
>> This isn't quite what I see with inline-signing on 9.9.5:
>>
>> If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
>> until the moment it has an NSEC3 chain.
>>
>> If I replace an existing NSEC3 chain with a new salt, I seem to lose a
>> load of RRSIGs, and there are no NSEC or NSEC3 records until the
>> operation completes!!  For example, the are no signatures on the
>> DNSKEYs, which feels like a disaster.
>
> That's certainly not what's supposed to happen, and it isn't the
> behavior I'm seeing.

Thanks Evan - I've mostly been investigating with dig. Note that this is 
all against a test server that is not publicly visible, and our publicly 
visible zone is not (yet) signed.

I said 'the[re] are no signatures on the DNSKEYs, which feels like a 
disaster.', but in this run, the problem stage doesn't even have 
DNSKEYs.  I'm not sure if I saw a different output earlier, or if I'm 
just loosing it more generally...

I asked two queries at each stage:
hinfo: dig +multi +dnssec -t hinfo lancs.ac.uk @signer
any: dig +multi +dnssec -t any lancs.ac.uk @signer

(HINFO is intended to show the nsec/nsec3 existence, whilst ANY is to 
show the dnskey, etc).

I'm directly querying the host doing the inline signing, so there 
shouldn't be any caching issues.

Because the dig output is so voluminous, I've placed the output files on 
a webserver.

Dig on the client is from v9.8, whilst named is '9.9.5-2-Ubuntu'.

Here's a big dump of stages I went through - the problem is seen at 
stage 4, so feel free to skip ahead...

1) zone is signed, with nsec chain *steady state*:

hinfo:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/1.txt
any:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/2.txt

2) Begin nsec3 chain generation *in progress*:

$ /usr/sbin/rndc signing -nsec3param 1 0 10 ff11 lancs.ac.uk
$ rndc signing -list
Creating NSEC3 chain 1 0 10 FF11
Done signing with key 21498/RSASHA256
Done signing with key 33442/RSASHA256

hinfo:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/3.txt
any:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/4.txt

3) nsec3 chain *steady state*

hinfo:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/5.txt
any:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/6.txt

PROBLEM: 4) Another nsec3 chain generation *in progress*:

$ /usr/sbin/rndc signing -nsec3param 1 0 10 ff22 lancs.ac.uk
$ /usr/sbin/rndc signing -list lancs.ac.uk
Removing NSEC3 chain 1 0 10 FF11 / creating NSEC chain
Creating NSEC3 chain 1 0 10 FF22
Done signing with key 21498/RSASHA256
Done signing with key 33442/RSASHA256

hinfo:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/7.txt
any:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/8.txt

5) 2nd nsec3 chain *steady state*

hinfo:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/9.txt
any:
http://www.lancaster.ac.uk/staff/clinch/scratch/bind9_nsec3_regen/10.txt

Graham

-- 
Graham Clinch
Systems Programmer,
Lancaster University

More information about the bind-users mailing list