ISC DNSSEC Guide - Working with the Parent Zone

Matthijs Mekking matthijs at isc.org
Wed Dec 23 10:39:45 UTC 2020 

Hi Daniel,

This zone was signed before, prior to switching to 'dnssec-policy'? Or 
did you enable DNSSEC by adding 'dnssec-policy'?

If you have them, would you be able to share with me (off list) the logs 
and the key (state) files?

- Matthijs


On 23-12-2020 10:47, Daniel Stirnimann wrote:
> Hello Matthijs,
> 
> I'm testing with version 9.16.9.
> 
> Ok, I'm more confused now.
> 
> For the current key rollover the DNSKEY RRset is not signed with both
> the old key 6207 and the new key 15769 but only with the new key 15769.
> The domain is now bogus:
> 
> https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
> 
> 
> rndc dnssec -status badware.ch
> dnssec-policy: test
> current time:  Wed Dec 23 10:42:00 2020
> 
> key: 39414 (ECDSAP256SHA256), CSK
>    published:      no
>    key signing:    no
>    zone signing:   no
> 
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         unretentive
>    - ds:             unretentive
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
> 
> key: 6207 (ECDSAP256SHA256), CSK
>    published:      yes - since Wed Dec 16 07:33:24 2020
>    key signing:    no
>    zone signing:   no
> 
>    Key is retired, will be removed on Fri Jan  1 11:43:24 2021
>    - goal:           hidden
>    - dnskey:         omnipresent
>    - ds:             unretentive
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
> 
> key: 15769 (ECDSAP256SHA256), CSK
>    published:      yes - since Wed Dec 23 07:33:24 2020
>    key signing:    yes - since Wed Dec 23 07:33:24 2020
>    zone signing:   yes - since Wed Dec 23 09:38:24 2020
> 
>    Next rollover scheduled on Wed Dec 30 07:33:24 2020
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - ds:             rumoured
>    - zone rrsig:     rumoured
>    - key rrsig:      omnipresent
> 
> 
> Daniel
> 
> On 23.12.20 10:33, Matthijs Mekking wrote:
>> Hi Daniel,
>>
>> With which specific 9.16 version are you testing? The first versions
>> used an unsafe time based rollover, assuming the DS would be published
>> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
>> -checkds" was introduced to tell BIND 9 that the DS for a given key has
>> been published.
>>
>> Best regards,
>>
>> Matthijs
>>
>> On 23-12-2020 09:53, Daniel Stirnimann wrote:
>>> Hi all,
>>>
>>> I'm testing the key rollover behavior of BIND 9.16 with the new
>>> introduced "dnssec-policy" statement.
>>>
>>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>>>
>>> "At the time of this writing (mid-2020) BIND does not check for the
>>> presence of a DS record in the parent zone before completing the KSK or
>>> CSK rollover and withdrawing the old key. Instead, you need to use the
>>> rndc tool to tell named that the DS record has been published."
>>>
>>> The last sentence that one has to tell named that the DS record has been
>>> published is not what I'm observing. My tests show that BIND continues
>>> (finishes) the key rollover. The use of the rndc tool is not required.
>>> Is this an error in the documentation?
>>>
>>> dnsviz output of the test domain:
>>>
>>> badware.ch signed with key 39414 but no trust anchor in .ch yet:
>>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>>>
>>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
>>> automatically picked up by CDS/CDNSKEY polling by the parent):
>>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>>>
>>> badware.ch key rollover from key 39414 to key 6207 in progress:
>>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>>>
>>> badware.ch previous key rollover finished. key 39414 is unused and will
>>> be removed from the DNSKEY rrset soon. No "rndc" command has been used
>>> to tell named to complete the key rollover.
>>> Next key rollover started with the introduction of key 15769:
>>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>>>
>>>
>>> DNSSEC Policy:
>>>
>>> dnssec-policy "test" {
>>>       keys {
>>>           csk key-directory lifetime 7d algorithm 13;
>>>       };
>>>
>>>       // Key timings
>>>       dnskey-ttl 3600;
>>>       publish-safety 1h;
>>>       retire-safety 1h;
>>>
>>>       // Zone parameters
>>>       max-zone-ttl 3600;
>>>       zone-propagation-delay 300;
>>>
>>>       // Parent parameters
>>>       parent-ds-ttl 1h;
>>>       parent-propagation-delay 1h;
>>> };
>>>
>>> Thank you,
>>> Daniel
>>>
>>> [1]
>>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>

More information about the bind-users mailing list