dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)

Sebastian Wiesinger sebastian at karotte.org
Fri Jun 2 11:53:15 UTC 2023 

Hi,

I recently moved from auto-dnssec to dnssec-policy and after the
switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.

When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
immediately got removed which lead to a bogus DNSSEC for the zone. I
was expecting a rollover procedure.

BIND version is 9.18.12 (Debian Backports).

My question is, did I do something wrong? What would have been the
right way to do it? I noticed that the DS state is "hidden" before and
after the switch of the dnssec-policy but I found no way to change
that.

Here is config and logs of the change:

Old and new policy are:

dnssec-policy "rsa" {
    keys {
        ksk key-directory lifetime unlimited algorithm rsasha256 2048;
        zsk key-directory lifetime P60D algorithm rsasha256 1024;
    };
};

dnssec-policy "ecdsa-csk" {
    keys {
        csk key-directory lifetime unlimited algorithm 13;
    };
};

Zone definition is:

zone "sub.my.zone" {
        type master;
        file "/etc/bind/dynamic-zones/sub.my.zone/sub.my.zone";
        allow-transfer { localhost; ns2; };
        key-directory "/etc/bind/dynamic-zones/sub.my.zone";
        dnssec-policy "ecdsa-csk";
        parental-agents { 127.12.12.13; };
        allow-update { key sub.my.zone_api.; };
};


Jun 02 13:26:19 alita named[1001022]: general: notice: zone sub.my.zone/IN/default: checkds: set 1 parentals
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: reconfiguring zone keys
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/54096 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/56781 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/13786 (KSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) created for policy ecdsa-csk
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/56781 (ZSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/13786 (KSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: Fetching sub.my.zone/ECDSAP256SHA256/36745 (CSK) from key repository.
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now published
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now active
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: next key event: 02-Jun-2023 13:31:19.338
Jun 02 13:26:19 alita named[1001022]: notify: info: zone sub.my.zone/IN/default: sending notifies (serial 2014014053)

DNSSEC status before:

dnssec-policy: rsa
current time:  Fri Jun  2 13:23:54 2023

key: 54096 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - zone rrsig:     unretentive

key: 56781 (RSASHA256), ZSK
  published:      yes - since Fri Jun  2 11:15:23 2023
  zone signing:   yes - since Fri Jun  2 12:20:23 2023

  Next rollover scheduled on Tue Aug  1 10:15:23 2023
  - goal:           omnipresent
  - dnskey:         omnipresent
  - zone rrsig:     rumoured

key: 13786 (RSASHA256), KSK
  published:      yes - since Wed Jan 22 22:42:33 2014
  key signing:    yes - since Wed Jan 22 22:42:33 2014

  No rollover scheduled
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             hidden
  - key rrsig:      omnipresent



DNSSEC status after:

dnssec-policy: ecdsa-csk
current time:  Fri Jun  2 13:32:23 2023

key: 54096 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     unretentive
  - key rrsig:      hidden

key: 56781 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         unretentive
  - ds:             unretentive
  - zone rrsig:     unretentive
  - key rrsig:      unretentive

key: 36745 (ECDSAP256SHA256), CSK
  published:      yes - since Fri Jun  2 13:26:19 2023
  key signing:    yes - since Fri Jun  2 13:26:19 2023
  zone signing:   yes - since Fri Jun  2 13:26:19 2023

  No rollover scheduled
  - goal:           omnipresent
  - dnskey:         rumoured
  - ds:             hidden
  - zone rrsig:     rumoured
  - key rrsig:      rumoured

key: 13786 (RSASHA256), KSK
  published:      no
  key signing:    no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     unretentive
  - key rrsig:      hidden


Best Regards

Sebastian

-- 
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

More information about the bind-users mailing list