dnssec: ds showing hidden 3+ days after key roll

Thu Feb 10 12:20:14 UTC 2022

Hi Larry,

There has been several bug fixes for dnssec-policy since its 
introduction. What version of 9.17 are you running?

I can't tell what causes the ds to stay in the hidden state. The timings 
in the state file should allow it to move to the next state.

If you were able to turn on logging, on each run the keymgr will tell 
you the reason why it cannot move the DS to the next state. Such logs 
happen on DEBUG(1) level.

Best regards,

Matthijs

On 09-02-2022 17:35, Larry Rosenman wrote:
> On 02/09/2022 9:52 am, Matthijs Mekking wrote:
>> Hi Larry,
>>
>> Without more information it is hard to tell what is going on.
>>
>> Can you share your dnssec-policy and the contents of the key state
>> file? And if you have useful logs (grep for keymgr) that would be
>> handy too to see what is going on.
>>
>> If you prefer to share them off list, you can mail them me directly.
>>
>> Best regards,
>>
>> Matthijs
>>
>> On 08-02-2022 18:00, Larry Rosenman wrote:
>>> Greetings,
>>>      new poster.  I just converted over to DNSSEC-policy,  and rolled 
>>> my KSK.  I see:
>>> key: 269 (RSASHA256), KSK
>>>    published:      yes - since Sun Feb  6 14:31:32 2022
>>>    key signing:    yes - since Sun Feb  6 14:31:32 2022
>>>
>>>    No rollover scheduled
>>>    - goal:           omnipresent
>>>    - dnskey:         omnipresent
>>>    - ds:             hidden
>>>    - key rrsig:      omnipresent
>>>
>>>
>>> ler in thebighonker in namedb🔒 on  master [!] as 🧙
>>> ❯
>>>
>>> Is it normal to see the ds as hidden?  It IS published, and I told 
>>> rndc that.
>>>
>>> Any insight appreciated.
>>>
> 
> thebighonker# cat Klerctr.org.+008+00269.state
> ; This is the state of key 269, for lerctr.org.
> Algorithm: 8
> Length: 2048
> Lifetime: 0
> Predecessor: 20014
> KSK: yes
> ZSK: no
> Generated: 20220206203132 (Sun Feb  6 14:31:32 2022)
> Published: 20220206203132 (Sun Feb  6 14:31:32 2022)
> Active: 20220206213632 (Sun Feb  6 15:36:32 2022)
> DSPublish: 20220207015646 (Sun Feb  6 19:56:46 2022)
> PublishCDS: 20220206223632 (Sun Feb  6 16:36:32 2022)
> DNSKEYChange: 20220206223632 (Sun Feb  6 16:36:32 2022)
> KRRSIGChange: 20220206223632 (Sun Feb  6 16:36:32 2022)
> DSChange: 20220206203132 (Sun Feb  6 14:31:32 2022)
> DNSKEYState: omnipresent
> KRRSIGState: omnipresent
> DSState: hidden
> GoalState: omnipresent
> thebighonker#
> 
> dnssec-policy "ler1" {
>         keys {
>                 ksk lifetime unlimited algorithm 8 2048 ;
>                 zsk lifetime 30d algorithm 13;
>         };
>         // Key timings
>         dnskey-ttl 3600;
>         publish-safety 1h;
>         retire-safety 1h;
>         purge-keys P90D;
>         // Signature timings
>         signatures-refresh 5d;
>         signatures-validity 14d;
>         signatures-validity-dnskey 14d;
>         // Zone parameters
>         max-zone-ttl 86400;
>         zone-propagation-delay 300;
>         // Parent parameters
>         parent-ds-ttl 86400;
>         parent-propagation-delay 1h;
>         nsec3param iterations 0 salt-length 0;
> };
> 
> Unfortunately my 9.17(alpha) named got into a signing loop, so I don't 
> want to look through that logging.
> 
> I know -- I need to update to 9.18, but am waiting on the FreeBSD port 
> maintainer to add 9.18 to the ports tree