SOA record not signed with new key at key-rollover
Nis Wechselberg
enbewe at enbewe.de
Sun Jul 17 11:41:52 UTC 2016
Hi,
you are right, I got confused there.
Am I getting it right that the rest of the zone is not (re)signed
because the current signature is still valid for some time?
So if I were to set sig-validity-interval to a shorter value, this would
help with the issue?
Sadly it seems to be a value in days, so it is not that easy to test.
I will try setting the interval to 1 day with 23 hours preview signing.
Thanks.
Am 17.07.2016 um 06:06 schrieb Mark Andrews:
> In message <5788C969.6070905 at enbewe.de>, Nis Wechselberg writes:
>> Hi,
>>
>> I am curently testing a dnssec setup with the new dnssec-keymgr tool. I
>> created a test zone with very fast key rollover setings and very short
>> TTLs. (Configs below)
>>
>> The automated creation of keys seems to work fine but bind behaves other
>> than I would have expected.
>>
>> - Initial deployment looks fine with the current ZSK published and in use.
>> (http://dnsviz.net/d/testmichhartundwild.de/V4ep6A/dnssec/)
>
> ZSK = 36141
>
>> - At prepublication time the next key is published but not yet used (as
>> expected.
>> (http://dnsviz.net/d/testmichhartundwild.de/V4fV_A/dnssec/)
>
> New ZSK is 10173
>
>> - After rollover time the new key is used to sign the zone EXCEPT the
>> SOA record. This one is still signed by the old key.
>> (http://dnsviz.net/d/testmichhartundwild.de/V4fyNQ/dnssec/)
>
> No. The new ZSK signs the SOA record. The old signatures still exist
> on the other records as the only RRset that changes is the SOA.
>
>> - When post-publication of the old key expires it is removed and the new
>> key is used for all records.
>> (http://dnsviz.net/d/testmichhartundwild.de/V4gSGg/dnssec/)
>>
>>
>> I am confused becaus of the special treatment of the SOA record. I would
>> expect a complete switch to the new key. At the moment, cached responses
>> of the SOA record could not be verified in the timeframe between
>> deletion of the old key and the next TTL.
>>
>> Am I missing something?
>>
>> Regards,
>> Nis
>>
>> ----
>>
>>
>> dnssec-keymgr policy:
>>
>> zone testmichhartundwild.de {
>> algorithm RSASHA256;
>> directory "/etc/bind/zones/keys";
>> coverage 2d;
>> keyttl 600;
>> roll-period zsk 8h;
>> post-publish zsk 2h;
>> pre-publish zsk 2h;
>> };
>>
>>
>> bind zone config:
>>
>> zone "testmichhartundwild.de" IN {
>> type master;
>>
>> file "de/testmichhartundwild.de/zone.db";
>>
>> // Allow zone transfers to trusted servers
>> allow-transfer {
>> myServers;
>> localhost;
>> };
>>
>> // Allow updates with shared key
>> update-policy {
>> grant morpheus-trinity. zonesub any;
>> };
>> serial-update-method unixtime;
>>
>> // Activate dnssec for this domain
>> key-directory "keys";
>> auto-dnssec maintain;
>> };
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list