dnssec KSK rollover

project722 project722 at gmail.com
Thu Aug 23 12:20:01 UTC 2018 

Hi Tony,

I've removed the config for managed keys out of my named.conf, moved any
files called bind.keys out from my named working directory, and restarted
Bind. I see where Bind created to files - managed-keys.bind and
managed-keys.bind.jnl. So, I think I'm on the right track. That said, two
things:

1) I am still seeing the "no valid signature found" messages in my
bind.log. However, **I don't think* * this is a problem because when I
query a hostname against my server that produces one of these errors, it
still resolves. for instance,

# root at fccore 07:01:07 0 jobs ~ > delv @x.x.x.x ncentral.teklinks.com A
+multiline +rtrace
;; fetch: ncentral.teklinks.com/A
;; fetch: teklinks.com/DNSKEY
;; fetch: teklinks.com/DS
;; fetch: com/DNSKEY
;; fetch: com/DS
;; fetch: ./DNSKEY
;; fetch: teklinks.com.dlv.isc.org/DLV
;; fetch: dlv.isc.org/DNSKEY
;; validating ncentral.teklinks.com/A: no valid signature found
; unsigned answer
ncentral.teklinks.com.    2482 IN    A 104.245.194.14
ncentral.teklinks.com.    2482 IN    RRSIG A 5 3 43200 (
                20180915012340 20180816012340 46266 teklinks.com.
                k2Q0WFrwuC8ouvapXp8XIgTznwJ3VS1Ag+b8/8ajSKBe
                6qLal+hYqc96WmIfYvz1fkM5Oze+WXZifeohO7ZEwlLn
                8RJCXlGEEtgZ6Phr44fBbjHg7wAGxaG0KLw3JNJJVDWq
                48/sB7Qftat8Hp1M/56qi6OjI22bbyBA8nYQ03kc84c6
                MjCBSJfrum78AJXMFD69wXERDz6GCcaLgL3jJlIH9vZg
                mB5EquQtZmxU/6izQJGqZs3Ht+3NkhcKYnqpRFyHrEmo
                VPqiuEBmGhVyJJChLpbLvOwFvjTZEaedoMXv5pQ8Ys9d
                sg4y1gokR+HXkeTKHr8RWayElh8gu5QKoQ== )


So, I can see here that it still resolves BUT something fails to validate a
signature. Where is the breakdown here? It was able to fetch the DHSKEY for
teklinks.com:

;; fetch: teklinks.com/DNSKEY

but not ncentral.teklinks.com:

;; validating ncentral.teklinks.com/A: no valid signature found

Shouldn't this validate? I mean, if teklinks.com can validate, shouldn't
the stub "ncentral" as well, since its in the zonefile? What am I missing
here?



2) There is one other scenario that confuses me. When I test against a URL
that's purposely setup to fail dnssec, I get a servfail.

root at fccore 07:14:57 0 jobs ~ > delv @x.x.x.x www.dnssec-failed.org A
+multiline +rtrace
;; fetch: www.dnssec-failed.org/A
;; resolution failed: SERVFAIL

So, what's the difference here and with the scenario above in #1? My
concern is that our customers will get servfails when they try to access
sites like this one.




On Thu, Aug 23, 2018 at 6:33 AM Tony Finch <dot at dotat.at> wrote:

> project722 <project722 at gmail.com> wrote:
> >
> > In my named.conf I changed:
> >
> > dnssec-validation yes;
> >
> > to
> >
> > dnssec-validation auto;
>
> Good :-)
>
> Next thing to do is delete all trace of managed-keys or mkeys files or
> trusted-keys configuration, then restart `named`. It will automatically
> create managed-keys files with the correct contents - it has the current
> root KSKs built in, so you don't need the bind.keys file.
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> South Fitzroy: Northerly or northeasterly 5 or 6. Slight or moderate.
> Occasional drizzle. Good, occasionally poor at first.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180823/661090ce/attachment.html>

More information about the bind-users mailing list