ISC DNSSEC Guide - Working with the Parent Zone
Daniel Stirnimann
daniel.stirnimann at switch.ch
Wed Dec 23 10:43:48 UTC 2020
Hi Matthijs,
The zone was not signed before. I enabled DNSSEC by adding the
'dnssec-policy'. I will send you the requested files off list.
Thank you,
Daniel
On 23.12.20 11:39, Matthijs Mekking wrote:
> Hi Daniel,
>
> This zone was signed before, prior to switching to 'dnssec-policy'? Or
> did you enable DNSSEC by adding 'dnssec-policy'?
>
> If you have them, would you be able to share with me (off list) the logs
> and the key (state) files?
>
> - Matthijs
>
>
> On 23-12-2020 10:47, Daniel Stirnimann wrote:
>> Hello Matthijs,
>>
>> I'm testing with version 9.16.9.
>>
>> Ok, I'm more confused now.
>>
>> For the current key rollover the DNSKEY RRset is not signed with both
>> the old key 6207 and the new key 15769 but only with the new key 15769.
>> The domain is now bogus:
>>
>> https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
>>
>>
>> rndc dnssec -status badware.ch
>> dnssec-policy: test
>> current time: Wed Dec 23 10:42:00 2020
>>
>> key: 39414 (ECDSAP256SHA256), CSK
>> published: no
>> key signing: no
>> zone signing: no
>>
>> Key has been removed from the zone
>> - goal: hidden
>> - dnskey: unretentive
>> - ds: unretentive
>> - zone rrsig: unretentive
>> - key rrsig: hidden
>>
>> key: 6207 (ECDSAP256SHA256), CSK
>> published: yes - since Wed Dec 16 07:33:24 2020
>> key signing: no
>> zone signing: no
>>
>> Key is retired, will be removed on Fri Jan 1 11:43:24 2021
>> - goal: hidden
>> - dnskey: omnipresent
>> - ds: unretentive
>> - zone rrsig: unretentive
>> - key rrsig: hidden
>>
>> key: 15769 (ECDSAP256SHA256), CSK
>> published: yes - since Wed Dec 23 07:33:24 2020
>> key signing: yes - since Wed Dec 23 07:33:24 2020
>> zone signing: yes - since Wed Dec 23 09:38:24 2020
>>
>> Next rollover scheduled on Wed Dec 30 07:33:24 2020
>> - goal: omnipresent
>> - dnskey: omnipresent
>> - ds: rumoured
>> - zone rrsig: rumoured
>> - key rrsig: omnipresent
>>
>>
>> Daniel
>>
>> On 23.12.20 10:33, Matthijs Mekking wrote:
>>> Hi Daniel,
>>>
>>> With which specific 9.16 version are you testing? The first versions
>>> used an unsafe time based rollover, assuming the DS would be published
>>> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
>>> -checkds" was introduced to tell BIND 9 that the DS for a given key has
>>> been published.
>>>
>>> Best regards,
>>>
>>> Matthijs
>>>
>>> On 23-12-2020 09:53, Daniel Stirnimann wrote:
>>>> Hi all,
>>>>
>>>> I'm testing the key rollover behavior of BIND 9.16 with the new
>>>> introduced "dnssec-policy" statement.
>>>>
>>>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
>>>>
>>>> "At the time of this writing (mid-2020) BIND does not check for the
>>>> presence of a DS record in the parent zone before completing the KSK or
>>>> CSK rollover and withdrawing the old key. Instead, you need to use the
>>>> rndc tool to tell named that the DS record has been published."
>>>>
>>>> The last sentence that one has to tell named that the DS record has been
>>>> published is not what I'm observing. My tests show that BIND continues
>>>> (finishes) the key rollover. The use of the rndc tool is not required.
>>>> Is this an error in the documentation?
>>>>
>>>> dnsviz output of the test domain:
>>>>
>>>> badware.ch signed with key 39414 but no trust anchor in .ch yet:
>>>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
>>>>
>>>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
>>>> automatically picked up by CDS/CDNSKEY polling by the parent):
>>>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
>>>>
>>>> badware.ch key rollover from key 39414 to key 6207 in progress:
>>>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
>>>>
>>>> badware.ch previous key rollover finished. key 39414 is unused and will
>>>> be removed from the DNSKEY rrset soon. No "rndc" command has been used
>>>> to tell named to complete the key rollover.
>>>> Next key rollover started with the introduction of key 15769:
>>>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
>>>>
>>>>
>>>> DNSSEC Policy:
>>>>
>>>> dnssec-policy "test" {
>>>> keys {
>>>> csk key-directory lifetime 7d algorithm 13;
>>>> };
>>>>
>>>> // Key timings
>>>> dnskey-ttl 3600;
>>>> publish-safety 1h;
>>>> retire-safety 1h;
>>>>
>>>> // Zone parameters
>>>> max-zone-ttl 3600;
>>>> zone-propagation-delay 300;
>>>>
>>>> // Parent parameters
>>>> parent-ds-ttl 1h;
>>>> parent-propagation-delay 1h;
>>>> };
>>>>
>>>> Thank you,
>>>> Daniel
>>>>
>>>> [1]
>>>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>>
>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>>
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann at switch.ch, www.switch.ch
More information about the bind-users
mailing list