DNSSEC ZSK key rollover, why is my zone double signed?

Robert Senger robert.senger at lists.microscopium.de
Mon Sep 7 19:17:01 UTC 2015 

Hi Holger,

thanks, I just checked and can confirm your results, everything is fine
now. No manual action done.

But when I look at the dnsviz.net's analysis, I see this

http://dnsviz.net/d/microscopium.de/Ve0Nnw/dnssec/

15 hours ago (analyzed 2015-09-07 04:07:59 UTC), and this

http://dnsviz.net/d/microscopium.de/dnssec/

4 hours ago (analyzed 2015-09-07 15:03:18 UTC).

Your checks at Mon Sep 07 11:50:31 CEST 2015 are in between these two
analyzes.

Doesn't the first analysis show a double signed zone?

However, I'll leave it like it is for now, and see what happens next
week ;)

Thanks again,

Robert



Am Montag, den 07.09.2015, 12:48 +0200 schrieb Holger Zuleger:
> On 05.09.2015 11:53, Robert Senger wrote:
> > Hi all,
> > 
> > I am having trouble with the DNSSEC ZSK rollover for one of my zones.
> > Key rollover for all zones was scheduled at Thursday September 3,
> > 22:00:00 CEST. While everything worked well for most zones, one zone
> > became double signed. Below I've pasted public keys for one good and for
> > the double signed zone, and links to dnsviz.net that show what has
> > happened.
> >
> 
> > Double signed zone:
> > 
> > root at prokyon:/etc/bind# cat Kmicroscopium.de.+008+18903.key 
> > ; This is a zone-signing key, keyid 18903, for microscopium.de.
> > ; Created: 20150827010002 (Thu Aug 27 03:00:02 2015)
> > ; Publish: 20150827180000 (Thu Aug 27 20:00:00 2015)
> > ; Activate: 20150827200000 (Thu Aug 27 22:00:00 2015)
> > ; Inactive: 20150903200000 (Thu Sep  3 22:00:00 2015)
> > ; Delete: 20150910200000 (Thu Sep 10 22:00:00 2015)
> > microscopium.de. IN DNSKEY 256 3 8 AwEAAcH+5fi77XDBXYagvneBQNiPGGrohgXXf5t0DY1+rt6GUzBkEIle QdonDdjWmyHoANUZ/VStOgpZJFGQrp3LxtgtvZZbFq9EfQ4waMWQWY36 pxhDyac1X72dm3Eb+378GnR8SeIT+/NJDOEr9+yWrOd/FEM7le3JJyV5 qQrgP70R9QsMHRbttOJxd0qAHWod/vrY3uegx54i3REVpZwtxS3nhuUl kqxMbILTFiDV6LpI4bAasTc7Es08vs2op0fy/wT36x0ma2SttgWDOL+e jLqgWF5qiMYqrXScggPOTTaMiW0rPBKntpqkifl0G56IOOKAkVzqk4ME C3Ve3tBcY0M=
> > root at prokyon:/etc/bind# cat Kmicroscopium.de.+008+03234.key 
> > ; This is a zone-signing key, keyid 3234, for microscopium.de.
> > ; Created: 20150903110745 (Thu Sep  3 13:07:45 2015)
> > ; Publish: 20150903180000 (Thu Sep  3 20:00:00 2015)
> > ; Activate: 20150903200000 (Thu Sep  3 22:00:00 2015)
> > ; Inactive: 20150910200000 (Thu Sep 10 22:00:00 2015)
> > ; Delete: 20150917200000 (Thu Sep 17 22:00:00 2015)
> > microscopium.de. IN DNSKEY 256 3 8 AwEAAdT8E9n/mCorGHF4u4GBJnQ+4QzRDXQlhZjCLhRCxNAVWKaaLBYJ Vzx0uvtc8/W7+wX/Sax/S5EK1ym/74tzXH7q323t8gLEt78ZERHF5zEU DAvGEa+/Evf/h1M72FLOFjVpAhHfSc3JKfUYi8hrws7kZ4twMsEIepso dSMfa9N7WpQPkfjIAaY/kSxVcapCvKzmleiSU1Q2hRvduOwfTjE90xxg OfGzA7C+sCIT09pqtemluzYdOs1NaONrkaUD3ad+InqAne/a8xhnjZfD Nz57oxaYsffgiMahUVNTzMZukLbn30soRatdGEgEFmYvpSrrgDX3ceu3 3sNSzDhwIKE=
> I'm pretty much sure that this zone is *not* double signed.
> Using dig I'm getting this:
> 
> $ dig +dnssec +multi +nocrypto soa microscopium.de
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +multi +nocrypto soa microscopium.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6796
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1460
> ; COOKIE: c8bb9ae44c57653ceb701b8b55ed5cfb6c8039aa6b918c0e (good)
> ;; QUESTION SECTION:
> ;microscopium.de.	IN SOA
> 
> ;; ANSWER SECTION:
> microscopium.de.	3453 IN	SOA mydnssec.eu. hostmaster.microscopium.de. (
> 				2015082120 ; serial
> 				14400      ; refresh (4 hours)
> 				3600       ; retry (1 hour)
> 				604800     ; expire (1 week)
> 				3600       ; minimum (1 hour)
> 				)
> microscopium.de.	3453 IN	RRSIG SOA 8 2 3600 (
> 				20150914082528 20150907072528 3234 microscopium.de.
> 				[omitted] )
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.1.1#53(127.0.1.1)
> ;; WHEN: Mon Sep 07 11:46:35 CEST 2015
> ;; MSG SIZE  rcvd: 433
> 
> 
> So the key used for signing "regular" RR sets is the one with tag 3234.
> 
> 
> $ dig +dnssec +multi +nocrypto dnskey microscopium.de
> 
> ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +multi +nocrypto dnskey
> microscopium.de
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32278
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1460
> ; COOKIE: 4e815a77f7ec0e42e149deeb55ed5de727d5ab9235815cf7 (good)
> ;; QUESTION SECTION:
> ;microscopium.de.	IN DNSKEY
> 
> ;; ANSWER SECTION:
> microscopium.de.	3096 IN	DNSKEY 256 3 8 (
> 				[key id = 18903]
> 				) ; ZSK; alg = RSASHA256; key id = 18903
> microscopium.de.	3096 IN	DNSKEY 256 3 8 (
> 				[key id = 3234]
> 				) ; ZSK; alg = RSASHA256; key id = 3234
> microscopium.de.	3096 IN	DNSKEY 257 3 8 (
> 				[key id = 29764]
> 				) ; KSK; alg = RSASHA256; key id = 29764
> microscopium.de.	3096 IN	RRSIG DNSKEY 8 2 3600 (
> 				20150911105838 20150904095838 3234 microscopium.de.
> 				[omitted] )
> microscopium.de.	3096 IN	RRSIG DNSKEY 8 2 3600 (
> 				20150911105838 20150904095838 29764 microscopium.de.
> 				[omitted] )
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.1.1#53(127.0.1.1)
> ;; WHEN: Mon Sep 07 11:50:31 CEST 2015
> ;; MSG SIZE  rcvd: 2018
> 
> 
> The keyset itself is signed by the ZSK with tag 3234 and the KSK with
> tag 29764.
> 
> The old ZSK with tag 18903 is still in the zone but this is the correct
> behavior of a Pre-Publish (zone)signing key rollover.
> 
> I guess you have to wait another 3 days before the old ZSK is removed
> from the DNSKEY set.
> 
> Regards
>  Holger
> 
> 

-- 
Robert Senger

More information about the bind-users mailing list