DNSSEC transition from manually signed zone to dnssec-policy "standard" failed
Matthijs Mekking
matthijs at isc.org
Thu Jun 2 05:30:48 UTC 2022
Hello Mirsad,
You changed to dnssec-policy with different key algorithms than you used
for manual signing:
Jun 1 21:46:06 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/46119 (ZSK)
Jun 1 21:46:06 domac named[46537]: keymgr: retire DNSKEY
alu.hr/RSASHA256/34042 (KSK)
Jun 1 21:46:06 domac named[46537]: keymgr: DNSKEY
alu.hr/ECDSAP256SHA256/43987 (KSK) created for policy standard
Jun 1 21:46:06 domac named[46537]: keymgr: DNSKEY
alu.hr/ECDSAP256SHA256/3502 (ZSK) created for policy standard
You had RSHSHA256 DNSSEC keys, but you started using a DNSSEC policy
with ECDSAP256SHA256 keys.
Since the existing keys do not match the policy, BIND started a key
rollover.
See https://kb.isc.org/docs/dnssec-key-and-signing-policy for more
information about migration to dnssec-policy.
Also changing from directory and file "/etc/bind/zones/alu.hr.db.signed"
to file "/var/cache/bind/alu.hr.db" may be causing some problems.
There also seems to be a permission problem:
Jun 1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset:
error reading /var/cache/bind/keys/Kalu.hr.+013+03502.private: file not
found
Jun 1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset:
error reading /var/cache/bind/keys/Kalu.hr.+013+43987.private: file not
found
Hope these pointers help.
- Matthijs
On 01-06-2022 23:14, Mirsad Goran Todorovac wrote:
> Dear All,
>
> I have tried to switch from manually signed DNSSEC zone to dnssec-policy
> "standard", and BIND9 server started
> behaving odd. Here is the manual signing conf:
>
> include "/etc/bind/keys/domac.alu.hr-tsig.key";
>
> zone "alu.hr" in {
> type master;
> file "/etc/bind/zones/alu.hr.db.signed";
> allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
> also-notify { 31.147.205.54; 161.53.2.70; };
> forwarders {};
> };
>
> ... and the automatic signing conf:
>
> zone "alu.hr" in {
> type master;
> file "/var/cache/bind/alu.hr.db";
> allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
> also-notify { 31.147.205.54; 161.53.2.70; };
> dnssec-policy "standard";
> forwarders {};
> };
>
> There was a symbolic link /var/cache/bind/alu.hr.db ->
> /etc/bind/zones/alu.hr.db .
>
> The logfile is too long to post, so I will add link:
> https://domac.alu.hr/~mtodorov/tmp/named-20220601.log
>
> NOTE: Fun starts when I tried to automatically sing zone in zonefile
> /etc/bind/zones/alu.hr.db, and APPARMOR denied opening file to BIND.
> Maybe that confused the good old BIND9 server?
>
> Then I added link in /var/cache/bind, as for DDNS zones.
>
> The the zone appeared signed, but with only NSEC records, no RRSIGs,
> with this in log:
>
> Jun 1 21:52:42 domac named[46537]: scheduled loading new zones
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (unsigned): loaded
> serial 2022060101
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): loaded
> serial 2022060101
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
> receive_secure_serial: unchanged
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): sending
> notifies (serial 2022060101)
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
> reconfiguring zone keys
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed):
> zone_rekey:dns_zone_getdnsseckeys failed: not found
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: keymgr: retire DNSKEY
> alu.hr/RSASHA256/46119 (ZSK)
> Jun 1 21:52:42 domac named[46537]: keymgr: retire DNSKEY
> alu.hr/RSASHA256/34042 (KSK)
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: Fetching alu.hr/ECDSAP256SHA256/3502
> (ZSK) from key repository.
> Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/3502
> (ZSK) is now published
> Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/3502
> (ZSK) is now active
> Jun 1 21:52:42 domac named[46537]: Fetching
> alu.hr/ECDSAP256SHA256/43987 (KSK) from key repository.
> Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/43987
> (KSK) is now published
> Jun 1 21:52:42 domac named[46537]: DNSKEY alu.hr/ECDSAP256SHA256/43987
> (KSK) is now active
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): next key
> event: 01-Jun-2022 23:46:06.043
> Jun 1 21:52:42 domac named[46537]: any newly configured zones are now
> loaded
> Jun 1 21:52:42 domac named[46537]: running
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
> Jun 1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt to
> lock key files, but no key file lock available, abort
>
> I couldn't Google out any such message.
>
> However, the BIND server started acting like a runaway, displying lines
> like this in the log:
>
> Jun 1 22:06:55 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:55 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
> found
> Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
> found
> Jun 1 22:06:56 domac named[43715]: validating hr/DS: no valid signature
> found
> Jun 1 22:06:56 domac named[43715]: validating arpa/DS: no valid
> signature found
> Jun 1 22:06:56 domac named[43715]: validating ./NS: no valid signature
> found
>
> ... and at very fast rate, so I reverted to the manually signed conf.
>
> Any idea how could I still apply dnssec-policy? Manual signing works,
> but it is tedious, and easy to forget to sign ...
>
> For other subzones, mainly slava.alu.hr, conversion from manually signed
> RSA keys to automatically signed DNSSEC standard policy worked
> out-of-the-box.
>
> HERE is the policy (from DNSSEC manual):
>
> dnssec-policy standard {
> dnskey-ttl 600;
> keys {
> ksk lifetime 365d algorithm ecdsap256sha256;
> zsk lifetime 60d algorithm ecdsap256sha256;
> };
> max-zone-ttl 600;
> parent-ds-ttl 600;
> parent-propagation-delay 2h;
> publish-safety 7d;
> retire-safety 7d;
> signatures-refresh 5d;
> signatures-validity 15d;
> signatures-validity-dnskey 15d;
> zone-propagation-delay 2h;
> };
>
> Thanks for any idea how to get out of this.
>
> Hope this helps.
>
> Kind regards,
> Mirsad
>
More information about the bind-users
mailing list