dnssec: ds showing hidden 3+ days after key roll

Matthijs Mekking matthijs at isc.org
Thu Feb 10 16:10:49 UTC 2022 

Hi,

There are several things wrong here. The gist of it is that there is no 
valid ZSK and since the zone is not properly signed, BIND does not want 
to publish the DS record (even if outside BIND you already published the 
DS).

You can tell that BIND does not agree because it did not publish a CDS 
record in your zone.

I also noticed two different algorithms. I hadn't noticed it before but 
your policy says:

         keys {
                 ksk lifetime unlimited algorithm 8 2048 ;
                 zsk lifetime 30d algorithm 13;
         };

This is a garbage policy because you specify different algorithms for 
the ksk and the zsk. This can never result in a validly signed zone.

Change the algorithm of the keys so that they match.

Perhaps we can add a named-checkconf check for this.


Best regards,

Matthijs





On 10-02-2022 15:47, Larry Rosenman wrote:
> version: bind9-devel-9.17.18.a0.2021.10.08
> 
> Debug logs from yesterday for this zone (none in todays log):
> <183>1 2022-02-09T02:18:28.587884-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring: 
> lerctr.org/RSASHA256/8385 (policy ler1)
> <183>1 2022-02-09T02:18:28.587906-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring: 
> lerctr.org/RSASHA256/34851 (policy ler1)
> <183>1 2022-02-09T02:18:28.587918-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring: 
> lerctr.org/RSASHA256/20014 (policy ler1)
> <183>1 2022-02-09T02:18:28.587928-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring: 
> lerctr.org/ECDSAP256SHA256/6539 (policy ler1)
> <183>1 2022-02-09T02:18:28.587939-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring: 
> lerctr.org/RSASHA256/269 (policy ler1)
> <183>1 2022-02-09T02:18:28.587949-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: dnskeys: 
> lerctr.org/ECDSAP256SHA256/6539 (policy ler1)
> <183>1 2022-02-09T02:18:28.587960-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: dnskeys: 
> lerctr.org/RSASHA256/269 (policy ler1)
> <183>1 2022-02-09T02:18:28.588003-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: DNSKEY 
> lerctr.org/RSASHA256/20014 (KSK) matches policy ler1
> <183>1 2022-02-09T02:18:28.588020-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY 
> lerctr.org/RSASHA256/269 (KSK) matches policy ler1
> <183>1 2022-02-09T02:18:28.588032-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY 
> lerctr.org/RSASHA256/269 (KSK) is active in policy ler1
> <183>1 2022-02-09T02:18:28.588045-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: new 
> successor needed for DNSKEY lerctr.org/RSASHA256/269 (KSK) (policy ler1) 
> in 2650572588 seconds
> <183>1 2022-02-09T02:18:28.588056-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY 
> lerctr.org/ECDSAP256SHA256/6539 (ZSK) matches policy ler1
> <183>1 2022-02-09T02:18:28.588067-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: DNSKEY 
> lerctr.org/ECDSAP256SHA256/6539 (ZSK) is active in policy ler1
> <183>1 2022-02-09T02:18:28.588079-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: new 
> successor needed for DNSKEY lerctr.org/ECDSAP256SHA256/6539 (ZSK) 
> (policy ler1) in 2379102 seconds
> <183>1 2022-02-09T02:18:28.588090-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/RSASHA256/8385 type DNSKEY in state HIDDEN
> <183>1 2022-02-09T02:18:28.588101-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK 
> lerctr.org/RSASHA256/8385 type DNSKEY in stable state HIDDEN
> <183>1 2022-02-09T02:18:28.588111-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/RSASHA256/8385 type ZRRSIG in state UNRETENTIVE
> <183>1 2022-02-09T02:18:28.588122-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we 
> transition ZSK lerctr.org/RSASHA256/8385 type ZRRSIG state UNRETENTIVE 
> to state HIDDEN?
> <183>1 2022-02-09T02:18:28.588143-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec 
> evaluation of ZSK lerctr.org/RSASHA256/8385 record ZRRSIG: rule1=(~false 
> or false) rule2=(~true or true) rule3=(~true or true)
> <183>1 2022-02-09T02:18:28.588162-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: time says no 
> to ZSK lerctr.org/RSASHA256/8385 type ZRRSIG state UNRETENTIVE to state 
> HIDDEN (wait 662502 seconds)
> <183>1 2022-02-09T02:18:28.588174-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/RSASHA256/34851 type DNSKEY in state HIDDEN
> <183>1 2022-02-09T02:18:28.588184-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK 
> lerctr.org/RSASHA256/34851 type DNSKEY in stable state HIDDEN
> <183>1 2022-02-09T02:18:28.588194-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/RSASHA256/34851 type ZRRSIG in state UNRETENTIVE
> <183>1 2022-02-09T02:18:28.588205-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we 
> transition ZSK lerctr.org/RSASHA256/34851 type ZRRSIG state UNRETENTIVE 
> to state HIDDEN?
> <183>1 2022-02-09T02:18:28.588225-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec 
> evaluation of ZSK lerctr.org/RSASHA256/34851 record ZRRSIG: 
> rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
> <183>1 2022-02-09T02:18:28.588244-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: time says no 
> to ZSK lerctr.org/RSASHA256/34851 type ZRRSIG state UNRETENTIVE to state 
> HIDDEN (wait 592212 seconds)
> <183>1 2022-02-09T02:18:28.588256-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/20014 type DNSKEY in state HIDDEN
> <183>1 2022-02-09T02:18:28.588266-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK 
> lerctr.org/RSASHA256/20014 type DNSKEY in stable state HIDDEN
> <183>1 2022-02-09T02:18:28.588276-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/20014 type KRRSIG in state HIDDEN
> <183>1 2022-02-09T02:18:28.588286-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK 
> lerctr.org/RSASHA256/20014 type KRRSIG in stable state HIDDEN
> <183>1 2022-02-09T02:18:28.588296-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/20014 type DS in state HIDDEN
> <183>1 2022-02-09T02:18:28.588306-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK 
> lerctr.org/RSASHA256/20014 type DS in stable state HIDDEN
> <183>1 2022-02-09T02:18:28.588317-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/ECDSAP256SHA256/6539 type DNSKEY in state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588328-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK 
> lerctr.org/ECDSAP256SHA256/6539 type DNSKEY in stable state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588338-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine ZSK 
> lerctr.org/ECDSAP256SHA256/6539 type ZRRSIG in state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588348-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: ZSK 
> lerctr.org/ECDSAP256SHA256/6539 type ZRRSIG in stable state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588359-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/269 type DNSKEY in state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588369-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK 
> lerctr.org/RSASHA256/269 type DNSKEY in stable state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588379-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/269 type KRRSIG in state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588389-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: KSK 
> lerctr.org/RSASHA256/269 type KRRSIG in stable state OMNIPRESENT
> <183>1 2022-02-09T02:18:28.588399-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: examine KSK 
> lerctr.org/RSASHA256/269 type DS in state HIDDEN
> <183>1 2022-02-09T02:18:28.588410-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: can we 
> transition KSK lerctr.org/RSASHA256/269 type DS state HIDDEN to state 
> RUMOURED?
> <183>1 2022-02-09T02:18:28.588432-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec 
> evaluation of KSK lerctr.org/RSASHA256/269 record DS: rule1=(~false or 
> true) rule2=(~true or true) rule3=(~true or false)
> <183>1 2022-02-09T02:18:28.588453-06:00 thebighonker.lerctr.org named 
> 44101 - - 09-Feb-2022 02:18:28.588 dnssec: debug 1: keymgr: dnssec says 
> no to KSK lerctr.org/RSASHA256/269 type DS state HIDDEN to state RUMOURED
> 
> ler in thebighonker in ~ via ☕ v1.8.0 via 🐪 v5.32.1 via 💎 v2.7.5 as 🧙
>> 
> On 02/10/2022 6:20 am, Matthijs Mekking wrote:
>> Hi Larry,
>>
>> There has been several bug fixes for dnssec-policy since its
>> introduction. What version of 9.17 are you running?
>>
>> I can't tell what causes the ds to stay in the hidden state. The
>> timings in the state file should allow it to move to the next state.
>>
>> If you were able to turn on logging, on each run the keymgr will tell
>> you the reason why it cannot move the DS to the next state. Such logs
>> happen on DEBUG(1) level.
>>
>> Best regards,
>>
>> Matthijs
>>
>>
>>
>> On 09-02-2022 17:35, Larry Rosenman wrote:
>>> On 02/09/2022 9:52 am, Matthijs Mekking wrote:
>>>> Hi Larry,
>>>>
>>>> Without more information it is hard to tell what is going on.
>>>>
>>>> Can you share your dnssec-policy and the contents of the key state
>>>> file? And if you have useful logs (grep for keymgr) that would be
>>>> handy too to see what is going on.
>>>>
>>>> If you prefer to share them off list, you can mail them me directly.
>>>>
>>>> Best regards,
>>>>
>>>> Matthijs
>>>>
>>>> On 08-02-2022 18:00, Larry Rosenman wrote:
>>>>> Greetings,
>>>>>      new poster.  I just converted over to DNSSEC-policy,  and 
>>>>> rolled my KSK.  I see:
>>>>> key: 269 (RSASHA256), KSK
>>>>>    published:      yes - since Sun Feb  6 14:31:32 2022
>>>>>    key signing:    yes - since Sun Feb  6 14:31:32 2022
>>>>>
>>>>>    No rollover scheduled
>>>>>    - goal:           omnipresent
>>>>>    - dnskey:         omnipresent
>>>>>    - ds:             hidden
>>>>>    - key rrsig:      omnipresent
>>>>>
>>>>>
>>>>> ler in thebighonker in namedb🔒 on  master [!] as 🧙
>>>>>>>>>>
>>>>> Is it normal to see the ds as hidden?  It IS published, and I told 
>>>>> rndc that.
>>>>>
>>>>> Any insight appreciated.
>>>>>
>>>
>>> thebighonker# cat Klerctr.org.+008+00269.state
>>> ; This is the state of key 269, for lerctr.org.
>>> Algorithm: 8
>>> Length: 2048
>>> Lifetime: 0
>>> Predecessor: 20014
>>> KSK: yes
>>> ZSK: no
>>> Generated: 20220206203132 (Sun Feb  6 14:31:32 2022)
>>> Published: 20220206203132 (Sun Feb  6 14:31:32 2022)
>>> Active: 20220206213632 (Sun Feb  6 15:36:32 2022)
>>> DSPublish: 20220207015646 (Sun Feb  6 19:56:46 2022)
>>> PublishCDS: 20220206223632 (Sun Feb  6 16:36:32 2022)
>>> DNSKEYChange: 20220206223632 (Sun Feb  6 16:36:32 2022)
>>> KRRSIGChange: 20220206223632 (Sun Feb  6 16:36:32 2022)
>>> DSChange: 20220206203132 (Sun Feb  6 14:31:32 2022)
>>> DNSKEYState: omnipresent
>>> KRRSIGState: omnipresent
>>> DSState: hidden
>>> GoalState: omnipresent
>>> thebighonker#
>>>
>>> dnssec-policy "ler1" {
>>>         keys {
>>>                 ksk lifetime unlimited algorithm 8 2048 ;
>>>                 zsk lifetime 30d algorithm 13;
>>>         };
>>>         // Key timings
>>>         dnskey-ttl 3600;
>>>         publish-safety 1h;
>>>         retire-safety 1h;
>>>         purge-keys P90D;
>>>         // Signature timings
>>>         signatures-refresh 5d;
>>>         signatures-validity 14d;
>>>         signatures-validity-dnskey 14d;
>>>         // Zone parameters
>>>         max-zone-ttl 86400;
>>>         zone-propagation-delay 300;
>>>         // Parent parameters
>>>         parent-ds-ttl 86400;
>>>         parent-propagation-delay 1h;
>>>         nsec3param iterations 0 salt-length 0;
>>> };
>>>
>>> Unfortunately my 9.17(alpha) named got into a signing loop, so I 
>>> don't want to look through that logging.
>>>
>>> I know -- I need to update to 9.18, but am waiting on the FreeBSD 
>>> port maintainer to add 9.18 to the ports tree
>

More information about the bind-users mailing list