DNSSEC and NSEC missing ZSK?

Matthijs Mekking matthijs at isc.org
Mon Feb 8 14:24:12 UTC 2021 

Hi,

On 08-02-2021 12:20, @lbutlr wrote:
> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
> 
> #v+
> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
> 
> Verifying the zone using the following algorithms:
> - ECDSAP256SHA256
> Missing ZSK for algorithm ECDSAP256SHA256
> Missing NSEC record for blog.example.com
> Missing NSEC record for wiki.example.com
> Missing NSEC record for foobar.example.com
> Missing NSEC record for barfoo.example.com
> The zone is not fully signed for the following algorithms:
>   vECDSAP256SHA256
> .
> DNSSEC completeness test failed.NSSEC completeness test failed.
> #v-
> 
> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.

Use dnssec-verify -z to indicate that the ZSK may be the same key as the 
KSK.

The missing NSEC records are more worrisome.


> The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default;
> 
> #v+
> ; This is the state of key 18434, for example.com.
> Algorithm: 13
> Length: 256
> Lifetime: 0
> KSK: yes
> ZSK: yes
> Generated: 20210202180145 (Tue Feb  2 11:01:45 2021)
> Published: 20210202180145 (Tue Feb  2 11:01:45 2021)
> Active: 20210202180145 (Tue Feb  2 11:01:45 2021)
> PublishCDS: 20210203190645 (Wed Feb  3 12:06:45 2021)
> DNSKEYChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
> ZRRSIGChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
> KRRSIGChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
> DSChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: rumoured
> GoalState: omnipresent
> #v-
> 
> So the state file says the ZSK is yes, but dnssec-verify says no.
> 
> I ran delv test and it looks as I expect based on he guide linked above.
> 
> #v+
> # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline
> ; fully validated
> example.com.          3600 IN SOA ns1.example.net. admin.example.net. (
>                                  2018022422 ; serial
>                                  300        ; refresh (5 minutes)
>                                  300        ; retry (5 minutes)
>                                  18000      ; expire (5 hours)
>                                  3600       ; minimum (1 hour)
>                                  )
> example.com.          3600 IN RRSIG SOA 13 2 3600 (
>                                  20210221095138 20210207085138 18434 example.com.
>                                  Qps8u4m6…=
> #v-
> 
> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.


rndc sign zone

- Matthijs

More information about the bind-users mailing list