zsk rollover
Alan Batie
alan at peak.org
Tue Feb 25 20:02:53 UTC 2020
BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7
I'm testing zsk rollover on a currently unused domain, and expected the
rollover to happen automatically Saturday, however it appears that it
only partially has: according to
https://dnssec-analyzer.verisignlabs.com/peakmail.com (if I read it
right), the old key is still being used for signing the NSEC responses
Found 2 RRSIGs over DNSKEY RRset
RRSIG=46671 and DNSKEY=46671 verifies the DNSKEY RRset
Found 1 RRSIGs over NSEC RRset
RRSIG=1410 and DNSKEY=1410 verifies the NSEC RRset
NSEC proves no records of type A exist for peakmail.com
Found 1 RRSIGs over SOA RRset
RRSIG=46671 and DNSKEY=46671 verifies the SOA RRset
It looks like the old key (1410) is still signing the NS records too:
<ns6.peak.org> [117] $ dig +dnssec ns peakmail.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec ns peakmail.com
...
;; ANSWER SECTION:
peakmail.com. 2949 IN NS ns1.peak.org.
peakmail.com. 2949 IN NS ns2.peak.org.
peakmail.com. 2949 IN RRSIG NS 8 2 3600 20200306103311 20200205095819
1410 peakmail.com.
YNtR43oUskSKPTGg3GIiH6V3icJhFsHg5RxH7UeQ9LPpN8c2UIWfbn/p
zXd9EcxeYwjRL0BtDQ6ZZRKLq7UcUdpFBwVR6dJv+g0pJg9VUAVVM4t5
9HoAq3HdyoyVoXWoQiPcNg+qqAwzp42FxRI/qILCoApurX9rPxNESuDo
FjzcXxOmGv3FNHKdIr0WqTb4BW9MIpJGF3WWymg5zFMqSv4BQJkIgWr/
XyDr6jhjvMLUAgF45+Gi5lEiqjzmwGb9XTxVJz9oMDCInh4Pi5185huV
GXKkSGArZsI9t7Z+0Zi0E+s56cuN6Sq8J/HueYoxIWnUxr+35tyFRjvv SxLXWA==
However the new key is signing the SOA record:
<ns6.peak.org> [116] $ dig +dnssec soa peakmail.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec soa
...
;; ANSWER SECTION:
peakmail.com. 3600 IN SOA ns1.peak.org. hostmaster.peak.org. 2020012408
3600 900 604800 300
peakmail.com. 3600 IN RRSIG SOA 8 2 3600 20200324000000 20200222230000
46671 peakmail.com.
YA/1d55blWOqwqsbcaKEP7JO4nRbI2OyzSvhcPWukAim5wDhFUx1OkAd
8kLPpGp7eO/WEAiyFk/JPxkOqLB0c/Lu1MlF9pmAFhUMzsVkDsYu1+uE
kGyhUpj4GrOoA3xOpJ6rQLfmTTjGFTpCtrBmlIm/UltA9a3pw7PTwLks
ZhpYU+a5CXhbimgBgk40Do9DGfN0ToB4R9w+AlFqAKX3UEpv8PiR/MaR
nCfjWLwnbVjURBj0V3P1VJUX38v4rOVPAIivwesM7MhaVL1+s+Rfvu5r
guCSkkY0XQc3jeKSRSE25I7AxWYTs9T8NBq5ZgFqyvHZN7ZZ4vwxwg/r hsvUug==
The public key files in question:
; This is a zone-signing key, keyid 1410, for peakmail.com.
; Created: 20200110224135 (Fri Jan 10 14:41:35 2020)
; Publish: 20200110224135 (Fri Jan 10 14:41:35 2020)
; Activate: 20200110224135 (Fri Jan 10 14:41:35 2020)
; Inactive: 20200222000000 (Fri Feb 21 16:00:00 2020)
; Delete: 20200226000000 (Tue Feb 25 16:00:00 2020)
peakmail.com. IN DNSKEY 256 3 8
AwEAAd44dDiBOaLFp/sRC6Pr0Baas/gcR1udt/PFFP8JPbBU82Sv1bH6
d/+8HsH7oYYBJaEaupIgrVqi2RzzdvnbvvPJ0mEEnCrVysGpIZCORimR
7OA+DVz6FZHcvi7PE8yaY7D09PbghnhiKBnk+obhqbTqjfyazPu+amM6
aJxg/2crq0+w/XRcuwQ40Oj/iK/c6fnPm1GxfTQBB11jpMOWc1uwsFxw
Xgcv1bVUc4H6ERk0MrH2wZQTvrh2XG1WQju6uRSi5YE+dXy2HYH/YK02
mXvOdB2YPhddap6u2XQC1zrZcEtiIT1ifWcxQYzhAT5/xoFct3oH0m46 iW5vVtYhACc=
; This is a zone-signing key, keyid 46671, for peakmail.com.
; Created: 20200218234802 (Tue Feb 18 15:48:02 2020)
; Publish: 20200219000000 (Tue Feb 18 16:00:00 2020)
; Activate: 20200222000000 (Fri Feb 21 16:00:00 2020)
peakmail.com. IN DNSKEY 256 3 8
AwEAAbMVxTZ9vttRsad5iBUOXflyn+Px1U0tQ7taNBNxRpHy0GFn/mtI
W/S4xNorMNj7acKqzOzgXxUH90tc0PYbpg17WEGIyJC0OtlQJExpASXd
7cXG9Se6RvWDhWiiiEs7Z4fAVEzqegohK/V86TFY5+uBd1uN8DVBtHnz
M1IBekumCyMliqHL4+7xtVrZccu2CINo6TukJvfz+SI/jQJUjXbfyuDN
uVUPE+JVeuiwPC1Y++Wg+S9oJrpsSp8Vm+j/NqdescDRknhWMYZGQ5HL
6xXgrqGZJ6EGC3FgH7WXU6oAmYxSZE8mGZp/2IiXLTefX8Si3bDMLxOe Av7p/BAAbgM=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200225/db086438/attachment.bin>
More information about the bind-users
mailing list