zsk rollover

Mark Andrews marka at isc.org
Tue Feb 25 21:30:00 UTC 2020 

Firstly unset the deletion date for the old key.   It is way
too early for incremental re-signing.  Named replaces RRSIG
*as-they-fall-due* for re-signing.  With the defaults that
takes 22.5 days with a sig-validity-interval of 30 days.

All Inactivation does is STOP named signing records with that
key.  It does NOT cause old RRSIGs to be replaced.  This is
deliberate.

You are using offline signing timings where everything in the
zone is re-signed at once.  To use the offline time model just
use 22.5 days as the time to sign the zone rather than the fictional
0 seconds.

Mark

> On 26 Feb 2020, at 07:02, Alan Batie <alan at peak.org> wrote:
> 
> BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7
> 
> I'm testing zsk rollover on a currently unused domain, and expected the
> rollover to happen automatically Saturday, however it appears that it
> only partially has: according to
> https://dnssec-analyzer.verisignlabs.com/peakmail.com (if I read it
> right), the old key is still being used for signing the NSEC responses
> 
> 	Found 2 RRSIGs over DNSKEY RRset
> 	RRSIG=46671 and DNSKEY=46671 verifies the DNSKEY RRset
> 	Found 1 RRSIGs over NSEC RRset
> 	RRSIG=1410 and DNSKEY=1410 verifies the NSEC RRset
> 	NSEC proves no records of type A exist for peakmail.com
> 	Found 1 RRSIGs over SOA RRset
> 	RRSIG=46671 and DNSKEY=46671 verifies the SOA RRset
> 
> It looks like the old key (1410) is still signing the NS records too:
> 
> <ns6.peak.org> [117] $ dig +dnssec ns peakmail.com
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec ns peakmail.com
> ...
> ;; ANSWER SECTION:
> peakmail.com.		2949	IN	NS	ns1.peak.org.
> peakmail.com.		2949	IN	NS	ns2.peak.org.
> peakmail.com.		2949	IN	RRSIG	NS 8 2 3600 20200306103311 20200205095819
> 1410 peakmail.com.
> YNtR43oUskSKPTGg3GIiH6V3icJhFsHg5RxH7UeQ9LPpN8c2UIWfbn/p
> zXd9EcxeYwjRL0BtDQ6ZZRKLq7UcUdpFBwVR6dJv+g0pJg9VUAVVM4t5
> 9HoAq3HdyoyVoXWoQiPcNg+qqAwzp42FxRI/qILCoApurX9rPxNESuDo
> FjzcXxOmGv3FNHKdIr0WqTb4BW9MIpJGF3WWymg5zFMqSv4BQJkIgWr/
> XyDr6jhjvMLUAgF45+Gi5lEiqjzmwGb9XTxVJz9oMDCInh4Pi5185huV
> GXKkSGArZsI9t7Z+0Zi0E+s56cuN6Sq8J/HueYoxIWnUxr+35tyFRjvv SxLXWA==
> 
> 
> However the new key is signing the SOA record:
> 
> <ns6.peak.org> [116] $ dig +dnssec soa peakmail.com
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec soa
> ...
> ;; ANSWER SECTION:
> peakmail.com.		3600	IN	SOA	ns1.peak.org. hostmaster.peak.org. 2020012408
> 3600 900 604800 300
> peakmail.com.		3600	IN	RRSIG	SOA 8 2 3600 20200324000000 20200222230000
> 46671 peakmail.com.
> YA/1d55blWOqwqsbcaKEP7JO4nRbI2OyzSvhcPWukAim5wDhFUx1OkAd
> 8kLPpGp7eO/WEAiyFk/JPxkOqLB0c/Lu1MlF9pmAFhUMzsVkDsYu1+uE
> kGyhUpj4GrOoA3xOpJ6rQLfmTTjGFTpCtrBmlIm/UltA9a3pw7PTwLks
> ZhpYU+a5CXhbimgBgk40Do9DGfN0ToB4R9w+AlFqAKX3UEpv8PiR/MaR
> nCfjWLwnbVjURBj0V3P1VJUX38v4rOVPAIivwesM7MhaVL1+s+Rfvu5r
> guCSkkY0XQc3jeKSRSE25I7AxWYTs9T8NBq5ZgFqyvHZN7ZZ4vwxwg/r hsvUug==
> 
> 
> 
> The public key files in question:
> 
> ; This is a zone-signing key, keyid 1410, for peakmail.com.
> ; Created: 20200110224135 (Fri Jan 10 14:41:35 2020)
> ; Publish: 20200110224135 (Fri Jan 10 14:41:35 2020)
> ; Activate: 20200110224135 (Fri Jan 10 14:41:35 2020)
> ; Inactive: 20200222000000 (Fri Feb 21 16:00:00 2020)
> ; Delete: 20200226000000 (Tue Feb 25 16:00:00 2020)
> peakmail.com. IN DNSKEY 256 3 8
> AwEAAd44dDiBOaLFp/sRC6Pr0Baas/gcR1udt/PFFP8JPbBU82Sv1bH6
> d/+8HsH7oYYBJaEaupIgrVqi2RzzdvnbvvPJ0mEEnCrVysGpIZCORimR
> 7OA+DVz6FZHcvi7PE8yaY7D09PbghnhiKBnk+obhqbTqjfyazPu+amM6
> aJxg/2crq0+w/XRcuwQ40Oj/iK/c6fnPm1GxfTQBB11jpMOWc1uwsFxw
> Xgcv1bVUc4H6ERk0MrH2wZQTvrh2XG1WQju6uRSi5YE+dXy2HYH/YK02
> mXvOdB2YPhddap6u2XQC1zrZcEtiIT1ifWcxQYzhAT5/xoFct3oH0m46 iW5vVtYhACc=
> 
> ; This is a zone-signing key, keyid 46671, for peakmail.com.
> ; Created: 20200218234802 (Tue Feb 18 15:48:02 2020)
> ; Publish: 20200219000000 (Tue Feb 18 16:00:00 2020)
> ; Activate: 20200222000000 (Fri Feb 21 16:00:00 2020)
> peakmail.com. IN DNSKEY 256 3 8
> AwEAAbMVxTZ9vttRsad5iBUOXflyn+Px1U0tQ7taNBNxRpHy0GFn/mtI
> W/S4xNorMNj7acKqzOzgXxUH90tc0PYbpg17WEGIyJC0OtlQJExpASXd
> 7cXG9Se6RvWDhWiiiEs7Z4fAVEzqegohK/V86TFY5+uBd1uN8DVBtHnz
> M1IBekumCyMliqHL4+7xtVrZccu2CINo6TukJvfz+SI/jQJUjXbfyuDN
> uVUPE+JVeuiwPC1Y++Wg+S9oJrpsSp8Vm+j/NqdescDRknhWMYZGQ5HL
> 6xXgrqGZJ6EGC3FgH7WXU6oAmYxSZE8mGZp/2IiXLTefX8Si3bDMLxOe Av7p/BAAbgM=
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list