DNSSEC transition from manually signed zone to dnssec-policy "standard" failed

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Sat Jun 4 04:47:03 UTC 2022 

Hello Matthijs,

Apparently, APPARMOR denied opening of the journal file in 
/etc/bind/zones even when the directory hand bind group write 
permissions. Also, I tried to move the zone to /var/cache/bind and 
upgrade DNSSEC policy at the same time, which appears to have been too 
much for good old BIND :)

The workaround was rather tricky:

1. Unregister DS delegation signer record from the parent zone
2. Revert to unsigned zone
3. Stop the bind9 service and remove the journal files for the zone from 
/var/cache/bind
4. Move the zone to /var/cache/bind
5. Start the bind9 service
6. Check if the zone loaded OK
7. Change the dnssec-policy for the zone in question
8. Run "rndc reconfig"
9. Check if zone is signed
10. Wait until the zone propagates and register new DS to parent zone

Best regards,
Mirsad

On 6/2/2022 7:30 AM, Matthijs Mekking wrote:
> Hello Mirsad,
>
> You changed to dnssec-policy with different key algorithms than you 
> used for manual signing:
>
> Jun  1 21:46:06 domac named[46537]: keymgr: retire DNSKEY 
> alu.hr/RSASHA256/46119 (ZSK)
> Jun  1 21:46:06 domac named[46537]: keymgr: retire DNSKEY 
> alu.hr/RSASHA256/34042 (KSK)
> Jun  1 21:46:06 domac named[46537]: keymgr: DNSKEY 
> alu.hr/ECDSAP256SHA256/43987 (KSK) created for policy standard
> Jun  1 21:46:06 domac named[46537]: keymgr: DNSKEY 
> alu.hr/ECDSAP256SHA256/3502 (ZSK) created for policy standard
>
> You had RSHSHA256 DNSSEC keys, but you started using a DNSSEC policy 
> with ECDSAP256SHA256 keys.
>
> Since the existing keys do not match the policy, BIND started a key 
> rollover.
>
> See https://kb.isc.org/docs/dnssec-key-and-signing-policy for more 
> information about migration to dnssec-policy.
>
> Also changing from directory and file 
> "/etc/bind/zones/alu.hr.db.signed" to file "/var/cache/bind/alu.hr.db" 
> may be causing some problems.
>
> There also seems to be a permission problem:
>
> Jun  1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset: 
> error reading /var/cache/bind/keys/Kalu.hr.+013+03502.private: file 
> not found
> Jun  1 22:03:38 domac named[46537]: dns_dnssec_keylistfromrdataset: 
> error reading /var/cache/bind/keys/Kalu.hr.+013+43987.private: file 
> not found
>
> Hope these pointers help.
>
> - Matthijs
>
>
>
> On 01-06-2022 23:14, Mirsad Goran Todorovac wrote:
>> Dear All,
>>
>> I have tried to switch from manually signed DNSSEC zone to 
>> dnssec-policy "standard", and BIND9 server started
>> behaving odd. Here is the manual signing conf:
>>
>> include "/etc/bind/keys/domac.alu.hr-tsig.key";
>>
>> zone "alu.hr" in {
>>          type master;
>>          file "/etc/bind/zones/alu.hr.db.signed";
>>          allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
>>          also-notify { 31.147.205.54; 161.53.2.70; };
>>          forwarders {};
>> };
>>
>> ... and the automatic signing conf:
>>
>> zone "alu.hr" in {
>>          type master;
>>          file "/var/cache/bind/alu.hr.db";
>>          allow-transfer { key domac.alu.hr-key; 161.53.2.70; };
>>          also-notify { 31.147.205.54; 161.53.2.70; };
>>          dnssec-policy "standard";
>>          forwarders {};
>> };
>>
>> There was a symbolic link /var/cache/bind/alu.hr.db -> 
>> /etc/bind/zones/alu.hr.db .
>>
>> The logfile is too long to post, so I will add link: 
>> https://domac.alu.hr/~mtodorov/tmp/named-20220601.log
>>
>> NOTE: Fun starts when I tried to automatically sing zone in zonefile 
>> /etc/bind/zones/alu.hr.db, and APPARMOR denied opening file to BIND. 
>> Maybe that confused the good old BIND9 server?
>>
>> Then I added link in /var/cache/bind, as for DDNS zones.
>>
>> The the zone appeared signed, but with only NSEC records, no RRSIGs, 
>> with this in log:
>>
>> Jun  1 21:52:42 domac named[46537]: scheduled loading new zones
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (unsigned): loaded 
>> serial 2022060101
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): loaded 
>> serial 2022060101
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): 
>> receive_secure_serial: unchanged
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): sending 
>> notifies (serial 2022060101)
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): 
>> reconfiguring zone keys
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): 
>> zone_rekey:dns_zone_getdnsseckeys failed: not found
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: keymgr: retire DNSKEY 
>> alu.hr/RSASHA256/46119 (ZSK)
>> Jun  1 21:52:42 domac named[46537]: keymgr: retire DNSKEY 
>> alu.hr/RSASHA256/34042 (KSK)
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: Fetching 
>> alu.hr/ECDSAP256SHA256/3502 (ZSK) from key repository.
>> Jun  1 21:52:42 domac named[46537]: DNSKEY 
>> alu.hr/ECDSAP256SHA256/3502 (ZSK) is now published
>> Jun  1 21:52:42 domac named[46537]: DNSKEY 
>> alu.hr/ECDSAP256SHA256/3502 (ZSK) is now active
>> Jun  1 21:52:42 domac named[46537]: Fetching 
>> alu.hr/ECDSAP256SHA256/43987 (KSK) from key repository.
>> Jun  1 21:52:42 domac named[46537]: DNSKEY 
>> alu.hr/ECDSAP256SHA256/43987 (KSK) is now published
>> Jun  1 21:52:42 domac named[46537]: DNSKEY 
>> alu.hr/ECDSAP256SHA256/43987 (KSK) is now active
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): next key 
>> event: 01-Jun-2022 23:46:06.043
>> Jun  1 21:52:42 domac named[46537]: any newly configured zones are 
>> now loaded
>> Jun  1 21:52:42 domac named[46537]: running
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>> Jun  1 21:52:42 domac named[46537]: zone alu.hr/IN (signed): attempt 
>> to lock key files, but no key file lock available, abort
>>
>> I couldn't Google out any such message.
>>
>> However, the BIND server started acting like a runaway, displying 
>> lines like this in the log:
>>
>> Jun  1 22:06:55 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:55 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating hr/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating hr/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating hr/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating arpa/DS: no valid 
>> signature found
>> Jun  1 22:06:56 domac named[43715]: validating ./NS: no valid 
>> signature found
>>
>> ... and at very fast rate, so I reverted to the manually signed conf.
>>
>> Any idea how could I still apply dnssec-policy? Manual signing works, 
>> but it is tedious, and easy to forget to sign ...
>>
>> For other subzones, mainly slava.alu.hr, conversion from manually 
>> signed RSA keys to automatically signed DNSSEC standard policy worked 
>> out-of-the-box.
>>
>> HERE is the policy (from DNSSEC manual):
>>
>> dnssec-policy standard {
>>      dnskey-ttl 600;
>>      keys {
>>          ksk lifetime 365d algorithm ecdsap256sha256;
>>          zsk lifetime 60d algorithm ecdsap256sha256;
>>      };
>>      max-zone-ttl 600;
>>      parent-ds-ttl 600;
>>      parent-propagation-delay 2h;
>>      publish-safety 7d;
>>      retire-safety 7d;
>>      signatures-refresh 5d;
>>      signatures-validity 15d;
>>      signatures-validity-dnskey 15d;
>>      zone-propagation-delay 2h;
>> };
>>
>> Thanks for any idea how to get out of this.
>>
>> Hope this helps.
>>
>> Kind regards,
>> Mirsad
>>
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the bind-users mailing list