KSK signing all records; NSEC3 algorithm status?

Thu May 29 04:59:27 UTC 2014

On 2014-05-28 at 13:02 +1000, Mark Andrews wrote:
> If you want to finish transitioning to RSASHA256 just generate a
> zone signing key RSASHA256.  Named will sort things out.  You may
> end up with 3 sets of signatures for a while.  Don't worry about
> it.

The new DNSKEY had id=33768 and when I deployed it, Bind signed the SOA
with it but nothing else.

    $ rndc -s 127.0.0.5 signing -list xn--qck5b9a5eml3bze.jp
    Done signing with key 53065/RSASHA256

    $ host -lva xn--qck5b9a5eml3bze.jp nsauth | fgrep 33768
    xn--qck5b9a5eml3bze.jp. 43200   IN      RRSIG   DNSKEY 8 2 43200 20140627144436 20140528134436 33768 xn--qck5b9a5eml3bze.jp. BnKhdfy6/nGSEBnOo8EUJvHkzi+5NASKEHRTXE4R1abZprxSuuf2LFUhxzMsrZuvhsj/v7+8p0t5hQJx98Zvph+ddmFy5NfMBo/68OHtvuYPsquKuAQWLJtlykzj8C1MmMlute7tmxcZRaCMO7f26AqI/Pa4aa1JmmIyRtUo+Dg=
    xn--qck5b9a5eml3bze.jp. 43200   IN      RRSIG   SOA 8 2 43200 20140627144436 20140528134436 33768 xn--qck5b9a5eml3bze.jp. R7tyfea3OvFxnwgqL4xseUIAMfbIJsJywYn8hP8zYmTQqD6/31/ysNxVSJ8bnyGA1AwfcBrdjlD8NlDbzZRqMiM6avNF0PWIA8HMfvaB7AJ1aUjeGPLp3lR2zxTGdUpcpfY+Ge2fD2L7jB5hJYvCLEqCK8zDXC6EFYyZJFm0F+A=

It's been almost 14 hours, so anything that was going to slow roll,
should have completed.

Ran:

    $ rndc -s 127.0.0.5 signing -nsec3param 1 0 100 $(openssl rand -hex 8) xn--qck5b9a5eml3bze.jp

(If I'd thought, I could have used the same seed as before by looking up
 NSEC3PARAM type in DNS; ah well, the change should be harmless, right?)

I'm seeing a very incomplete set of records signed with id=33768.

To make it easier for others to see, and because I didn't want to
reconfig or further perturb bind9.10 on the authoritative master, I just
set one of the secondaries to open zone transfer for this zone.  The
`us0ns.globnix.net` server, which gets NOTIFY updates, has
`allow-transfer { any; };` enabled for `xn--qck5b9a5eml3bze.jp`.

$ host -lva xn--qck5b9a5eml3bze.jp us0ns.globnix.net

There's various bits going into the logfile from default channel.  In
`logging {}` I do have `category "dnssec" { "dnssec_log"; };` but the
file taking that channel is, and always has been, empty.

It's hard to see anything about progress or decisions in signing in the
stuff which is going to the default log stream; there's:

----------------------------8< cut here >8------------------------------
28-May-2014 09:44:36.735 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys
28-May-2014 09:44:36.739 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 10:44:36.735
28-May-2014 10:34:20.108 general: info: received control channel command 'reload xn--qck5b9a5eml3bze.jp'
28-May-2014 10:34:20.110 general: info: zone xn--qck5b9a5eml3bze.jp/IN (unsigned): ixfr-from-differences: unchanged
28-May-2014 10:44:36.737 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys
28-May-2014 10:44:36.902 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 11:44:36.737
28-May-2014 10:44:36.903 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011540)
28-May-2014 10:59:28.035 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys
28-May-2014 10:59:28.040 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 11:59:28.035
[...]
28-May-2014 23:59:28.446 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys
28-May-2014 23:59:28.451 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 29-May-2014 00:59:28.446
29-May-2014 00:14:03.818 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp'
29-May-2014 00:20:51.947 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp'
29-May-2014 00:28:51.777 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp'
29-May-2014 00:31:43.724 general: info: received control channel command 'signing -nsec3param 1 0 100 018150bbcb496fae xn--qck5b9a5eml3bze.jp'
29-May-2014 00:31:43.815 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): zone_addnsec3chain(1,REMOVE,100,AFAC2F795254DCC2)
29-May-2014 00:31:43.815 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): zone_addnsec3chain(1,CREATE,100,018150BBCB496FAE)
29-May-2014 00:31:43.860 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011542)
29-May-2014 00:31:48.871 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011544)
----------------------------8< cut here >8------------------------------

The TZ is America/New_York -- it's a mistake, I know why it has
happened, I'm not changing it back to UTC until this issue has been
resolved.

Any thoughts as to what I've messed up, and how, please?