Can't get Bind to publish CDS/CDNSKEY using dnssec-policy

Josef Vybíhal josef.vybihal at gmail.com
Thu Aug 12 07:02:50 UTC 2021 

Hi, for a second day, I am scratching my head over (automatic) publishing
CDS/CDNSKEY records. When I read Matthijs Mekkings KB article at
https://kb.isc.org/docs/dnssec-key-and-signing-policy, I wanted to try
dnssec-policy. Up until now, I successfully was using inline-signing with
auto-dnssec.

I configured my dnssec-policy to match the current key setting, but I
probably made a mistake and it did not match it, so a new key was
generated. No big deal, it's a test domain, rollover is not a problem.

Since my TLD supports CDNSKEY, I want to leverage it. So I removed current
DS record from the domain and expected Bind to publish CDS/CDNSKEY (
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#the-cds-and-cdnskey-resource-records).
Unfortunately I can not get bind to automatically publish them. No clue
why. I kind of expected bind to publish them on PublishCDS: 20210811135045
(Wed Aug 11 15:50:45 2021) automatically.

domain: irmorava.cz
version: BIND 9.16.19
OS: CentOS 8 Stream + packages from copr.

named.conf:
dnssec-policy "pepa" {
keys {
csk key-directory lifetime unlimited algorithm 13;
};

// Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P1D;

// Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;

// Zone parameters
max-zone-ttl PT1H;
zone-propagation-delay PT5M;
parent-ds-ttl PT1H;
parent-propagation-delay PT1H;
nsec3param iterations 1 optout false salt-length 16;
};

zone "irmorava.cz" {
type master;
file "master/irmorava.cz.zone";
allow-update { none; };
key-directory "keys/irmorava.cz";
dnssec-policy pepa;
notify yes;
allow-transfer { pepa_abc; };
};


dig irmorava.cz @127.0.0.1 DNSKEY +short +norec
257 3 13 Xsfq5rEgoE+iT+cvq0OZz43MiLiRLeH8SUAEIprn0/J3PNZSYVlCeNuF
5lfNo6uM0TeApujDhmQ1FPNINKxa2Q==


rndc dnssec -status irmorava.cz
dnssec-policy: pepa
current time:  Thu Aug 12 08:38:40 2021

key: 22788 (ECDSAP256SHA256), CSK
  published:      yes - since Wed Aug 11 10:20:00 2021
  key signing:    yes - since Wed Aug 11 10:20:00 2021
  zone signing:   yes - since Wed Aug 11 12:25:00 2021

  No rollover scheduled
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             hidden
  - zone rrsig:     rumoured
  - key rrsig:      omnipresent

key: 44055 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     unretentive
  - key rrsig:      hidden

key: 35549 (ECDSAP256SHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     hidden
  - key rrsig:      hidden



/var/named/keys/irmorava.cz/Kirmorava.cz.+013+22788.state:
; This is the state of key 22788, for irmorava.cz.
Algorithm: 13
Length: 256
Lifetime: 0
Predecessor: 44055
KSK: yes
ZSK: yes
Generated: 20210811082000 (Wed Aug 11 10:20:00 2021)
Published: 20210811082000 (Wed Aug 11 10:20:00 2021)
Active: 20210811102500 (Wed Aug 11 12:25:00 2021)
DSPublish: 20210811131037 (Wed Aug 11 15:10:37 2021)
DSRemoved: 20210811131020 (Wed Aug 11 15:10:20 2021)

*PublishCDS: 20210811135045 (Wed Aug 11 15:50:45 2021)*DNSKEYChange:
20210811102500 (Wed Aug 11 12:25:00 2021)
ZRRSIGChange: 20210811082000 (Wed Aug 11 10:20:00 2021)
KRRSIGChange: 20210811102500 (Wed Aug 11 12:25:00 2021)
DSChange: 20210811082000 (Wed Aug 11 10:20:00 2021)
DNSKEYState: omnipresent
ZRRSIGState: rumoured
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent


As you can see, I rolled over 2 more keys, but the desired records were not
published. Yesterday I tried manually 'dnssec-settime -P sync now
Kirmorava.cz.+013+22788.key'. I have waited as I read here
https://lists.isc.org/pipermail/bind-users/2020-April/102903.html but still
no luck.

I am sure I am missing something stupidly simple. Could someone please give
me any hint? Or are 'parental-agents' required to be configured? Does not
seem right way to me.

Josef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210812/ea7bc60c/attachment-0001.htm>

More information about the bind-users mailing list