understanding keymgr handling of KSK

Michael Richardson mcr at sandelman.ca
Sun May 8 20:26:25 UTC 2022 

I have moved from dnssec-tools to having bind9 do all the management itself.
There are a couple of things that I don't understand, and I find that the
FAQs and howtos I've read are rather too introductory for me.
I have been signing my zones since around 2004...
I will attempt to blog some of my experiences, but I'm a bit lost.

I keep my zones in /etc/domain/foo.com/db.foo.com, usually a few zones in
"foo.com" related to foo.com, like foo.net, reverses... and I allow Debian's
etckeeper to track changes there.  etckeeper is mostly very nice, but there
is some interaction among tools that sometimes winds up with my zone files
getting truncated to zero.  But, it being git, one can keep extra copies.
I haven't caught it in the act yet.
Probably I should change the key-directory to be a different directory,
because maybe letting etckeeper do stuff with keys is a bad idea.
(I'm more concerned about keys getting lost due to VMs going bad that I am
about keys getting disclosed because I git cloned the repo to my laptop.
You may feel different about security, good for you)

1) I'm unclear about freeze/thaw and signing and editing.
   I prefer to edit my zones with vi/emacs/sshfs/tramp.
   For that reason, I have them g+w, group bind, and my login is in the
   "bind" group, and my user id can rndc reload.

2) I've historically had a perl script that updated the SERIAL in place,
   based upon YYYYMMDDLL, where XX was Hour*4 + minutes/15.
   And LL was always maintained as > than last time.
   https://www.sandelman.ca/tmp/updateser you care.

3) I have a very few dynamic zones which are updated by DNS update.
I have basically CNAME'ed all my dns-01 LetsEncrypt challenges into
a single zone that I allow to completely dynamically managed.

4) I don't understand the difference between "auto-dnssec maintain;"
   and "dnssec-policy default"  (given that I haven't overridden anything).

5) Did $INCLUDE change such that it no longer accepts path names relative to the
zone file that included it? (no, not really DNSSEC related, but maybe bind
9.11 vs bind 9.16 changes)

6) Sometime yesterday (or maybe Friday night) many of my zones went offline:

tuna-[~] lmcr 10002 %dig @8.8.8.8 list.goslingcommunity.org

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> @8.8.8.8 list.goslingcommunity.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45108
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

looks like failure to find the right keys.

I investigated, and the first thing I did was "rndc reload", and magically
everything started working again.   No idea what happened.

I poke around and I look at one of the state files:

tilapia-[/etc/domain/brski.org] mcr 10010 %cat Krfc8995.org.+013+65171.state
; This is the state of key 65171, for rfc8995.org.
Algorithm: 13
Length: 256
KSK: yes
ZSK: no
Generated: 20210503023712 (Sun May  2 22:37:12 2021)
Published: 20210503023712 (Sun May  2 22:37:12 2021)
Active: 20210503023712 (Sun May  2 22:37:12 2021)
Retired: 20220505221112 (Thu May  5 18:11:12 2022)
Removed: 20220507001112 (Fri May  6 20:11:12 2022)        <<<---- SURPRISING!!!
DNSKEYChange: 20220505221612 (Thu May  5 18:16:12 2022)
ZRRSIGChange: 20220506231836 (Fri May  6 19:18:36 2022)
KRRSIGChange: 20220505221612 (Thu May  5 18:16:12 2022)
DSChange: 20220505221112 (Thu May  5 18:11:12 2022)
DNSKEYState: hidden
ZRRSIGState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

okay, let's go look at the one that I had the servfail for:

tilapia-[/etc/domain/goslingcommunity.org] mcr 10029 %cat Kgoslingcommunity.org.+005+05881.state
; This is the state of key 5881, for goslingcommunity.org.
Algorithm: 5
Length: 2048
KSK: yes
ZSK: no
Generated: 20190808220317 (Thu Aug  8 18:03:17 2019)
Published: 20190808220317 (Thu Aug  8 18:03:17 2019)
Active: 20190808220317 (Thu Aug  8 18:03:17 2019)
Retired: 20220505221645 (Thu May  5 18:16:45 2022)
Removed: 20220507001645 (Fri May  6 20:16:45 2022)
DNSKEYChange: 20220505222145 (Thu May  5 18:21:45 2022)
ZRRSIGChange: 20220506232645 (Fri May  6 19:26:45 2022)
KRRSIGChange: 20220505222145 (Thu May  5 18:21:45 2022)
DSChange: 20220505221645 (Thu May  5 18:16:45 2022)
DNSKEYState: hidden
ZRRSIGState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

Some surprising things here.
The key was generated ages ago, great.  It was removed on Friday evening.... what?
But, it's a KSK.  To update it, I need to visit my registrar and update things.
AFAIK, I'm not doing CDS (I'd like to, but I don't know how, and I don't know if .org is doing it).

tilapia-[/etc/domain/goslingcommunity.org] mcr 10034 %dig +short @a0.org.afilias-nst.org. goslingcommunity.org. ds
5881 5 1 64E6DE566F8F3E33B83FCF51DDE6746872E51432
5881 5 2 5F7C3229244CFE80835B1FCAE94BE8ED2CF26D31942E1628C3D1E7A9 A026535A

No change in the key at .org, and I checked and I don't have a CDS published.

So what happened?  I shall troll my logs and see what else I can find out,
but there sure is a lot of stuff going on.  Maybe lots of flotsam from my
previous situation that needs to expunged.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220508/0f0d2804/attachment.sig>

More information about the bind-users mailing list