KSK signing zone records

Mark Andrews marka at isc.org
Thu Sep 2 20:22:46 UTC 2021 

Just give it time. Named will choose the appropriate DNSKEY when it comes time to re-sign the RRset. 

-- 
Mark Andrews

> On 3 Sep 2021, at 03:26, Timothy A. Holtzen <tah at nebrwesleyan.edu> wrote:
> 
> Okay, so if I'm interpreting this correctly.  When the new alg 14 KSKs
> were created and then the zone was signed (either automatically or via a
> command) there was probably only a valid alg 8 ZSK available.  As a
> result bind used the alg 14 KSK as a defacto CSK and singed the zone
> RRSets directly.  This would make sense given the nature of the issue I
> had with my key rotation process.  However now I have both valid alg 8
> and alg 14 ZSK available.  Is there a way to go back and get bind to
> re-evaluate the zone to recognize the valid ZSK records and sign them only?
> 
> Timothy A. Holtzen
> Campus Network Administrator
> Nebraska Wesleyan University
> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7
> 
>> On 8/31/21 18:07, Mark Andrews wrote:
>> Named will continually re-sign parts of the zone as the RRSIGs for a RRset fall due
>> for replacement.  Named looks at which keys are in the active state to determine along
>> with the afore mentioned controls to work out which DNSKEYs will be used to re-sign the
>> RRset.  If in the past you only had one key type and you now have two, different keys
>> may be used to re-sign the RRset.  If you changed policy in named.conf, the new policy
>> will be implemented as the RRSIGs are re-generated.
>> 
>> It looks like you told named to re-sign the zone when there was only one type of DNSKEY
>> key record (or you where unlucky enough for named to check the available keys whiles there
>> was only one active key present) resulting in named overriding the policy in named.conf.
>> 
>> Mark
>> 
>>>> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users <bind-users at lists.isc.org> wrote:
>>> 
>>> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384.  I
>>> have one RSA KSK and one RSA ZSK.  In addition I have two ECDSA KSK and
>>> two ECDSA ZSK.   The RSA KSK seems perfectly happy to sign the ECDSA
>>> ZSKs.  And both the RSA and ECDSA ZSKs seem to be singing records
>>> correctly.  It just seems to be the two newer ECDSA KSKs that instead of
>>> signing the ZSKs are singing the domain records directly. 
>>> 
>>> Even more perplexing is that one of the domains seems to have fixed
>>> itself.  Now all the KSKs for that domain are singing the ZSKs and the
>>> ZSKs are signing the domain records.  But I've still got a couple of
>>> other domains where it is doing it wrong.  Is there some kind of timeout
>>> or maintenance that gets run automatically that might have fixed the
>>> issue?  I've tried running an "rndc sign" command on the domains several
>>> times.
>>> 
>>> Timothy A. Holtzen
>>> Campus Network Administrator
>>> Nebraska Wesleyan University
>>> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D  C7DD DFFB 7662 24E6 C30D
>>> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7
>>> 
>>> On 8/30/21 17:40, raf via bind-users wrote:
>>>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>>>> 
>>>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>>>>> same algorithm, then both will be used to sign the entire zone.
>>>>> 
>>>>> Regards,
>>>>> Chris Buxton
>>>> Just out of curiosity, why is that?
>>>> Isn't having the KSK sign the ZSK enough?
>>>> What difference does the nature of the thing
>>>> being signed make?
>>>> 
>>>> cheers,
>>>> raf
>>>> 
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>> 
>>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>> 
>>>> 
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list