dnssec-policy: Old DNSKEYs still in zone despite status showing hidden
Matthijs Mekking
matthijs at isc.org
Thu Aug 11 15:41:09 UTC 2022
On 10-08-2022 11:21, Matthijs Mekking wrote:
>> The last zone, milltime.se, has become stuck. sudo rndc dnssec -status
>> reports
>> that the old keys are removed from the zone and the new keys are
>> omnipresent,
>> but the log says "zone milltime.se/IN (signed): Key
>> milltime.se/RSASHA1/22971
>> missing or inactive and has no replacement: retaining signatures."
>>
>> Never mind. I was too quick switching to NSEC3, which is incompatible
>> with the
>> old key. Switching back to NSEC allowed the rollover to complete. Still,
>> shouldn't BIND have been able to figure this out on its own? It kept
>> using
>> NSEC because of the incompatible key, and it kept the incompatible key
>> needed
>> to verify the NSEC records. Catch-22? (Yes, I've read about the
>> questionable
>> merits of NSEC3.)
>
> I think we could improve named-checkconf to error out on a policy that
> uses NSEC3 with an incompatible algorithm yes. Thanks for the suggestion.
I jumped on this one too quickly. There is actually already a checkconf
for this.
But your issue is slightly different. It is about configuring NSEC3 when
the previous configuration uses an incompatible DNSKEY algorithm.
This is not easy to check with named-checkconf. But also, this is
already caught by named.
You already witnessed some log messages indicating things are wrong: Key
milltime.se/RSASHA1/22971 missing or inactive and has no replacement:
retaining signatures." But perhaps you also saw this one: "zone
milltime.se/IN (signed): NSEC only DNSKEYs and NSEC3 chains not allowed"
which is more informative.
You recovered from this the right way: Switch back to using NSEC, until
the old keys are gone from the zone, then you can enable NSEC3.
At first I thought BIND9 is handling this fine, but giving it another
thought I think you are right that BIND could figure this out and rather
than blocking signing because of the erroneous state, hold off creating
NSEC3 chain until the offending DNSKEYs have been removed from the zone.
So here is a merge request that you can try out, or you can wait until
this makes a 9.18 release:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6647
Best regards,
Matthijs
More information about the bind-users
mailing list