How to introduce automatic signing for existing signed zones?

Matthijs Mekking matthijs at isc.org
Mon Nov 7 13:10:42 UTC 2022 

On 07-11-2022 14:04, Matthijs Mekking wrote:
> Hi Niall,
> 
> You need to share the dnssec-policy for no8.be in order to investigate 
> why it doesn't show the expected behavior, but I suspect that the policy 
> did not match the properties for the existing DNSSEC keys completely.

Ignore that, I saw too late there were attachments.

Are you able to share the public key and key state files with me so I 
can investigate why BIND thinks the existing keys cannot be used?

Also, the log file looks like an excerpt. A full debug (level 3) log 
would be useful too.

Best regards,

Matthijs


> 
> Best regards,
> 
> Matthijs
> 
> On 07-11-2022 12:40, Niall O'Reilly wrote:
>> I have a couple of zones which I want to migrate from CLI-driven
>> signing to BIND9 automatic signing, while avoiding any change to
>> the respective parent-zone DS RR.
>>
>> Status quo ante:
>>
>> - https://dnsviz.net/d/no8.be/dnssec/
>>    separate KSK, ZSK; both using alg 13
>> - https://dnsviz.net/d/jamm.ie/dnssec/
>>    2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8
>>
>> Preparation:
>>
>> - Set up minimal stand-alone instance of BIND9 named,
>>    configured with a **dnssec-policy** for each algorithm,
>>    matching properties of existing DNSSEC keys, and with
>>    `lifetime unlimited`;
>> - Deliver current key files and recently-signed copy of
>>    zone files to this instance.
>>
>> Expected behaviour on starting named:
>>
>> - Zones are loaded;
>> - Spare ZSK for jamm.ie is retired;
>> - Other keys for each zone are accepted and retained;
>> - A CDS RR is generated for each zone, matching the current DS RR.
>>
>> Observed behaviour:
>>
>> - `named -v` shows `BIND 9.18.8 (Stable Release) <id:35f5d35>`;
>> - Zones are loaded;
>> - Spare ZSK for jamm.ie is retired;
>> - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained;
>> - A CDS RR is published for jamm.ie, matching the current DS RR;
>> - ECDSAP256SHA256 keys (for no8.be) are not accepted;
>> - New ECDSAP256SHA256 keys are created for no8.be;
>> - No CDS RR is generated for no8.be.
>>
>> Unless I'm missing something, there seems to be a discrepancy
>> according to key type between the handling of RSA/SHA-256 and
>> ECDSAP256SHA256 keys respectively.
>>
>> /Niall
>>
>>

More information about the bind-users mailing list