dnssec-policy change from ZSK/KSK to CSK failed (bogus DNSSEC for zone)

Matthijs Mekking matthijs at isc.org
Fri Jun 2 12:09:54 UTC 2023 

Hi,

On 6/2/23 13:53, Sebastian Wiesinger wrote:
> Hi,
> 
> I recently moved from auto-dnssec to dnssec-policy and after the
> switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
> 
> When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
> immediately got removed which lead to a bogus DNSSEC for the zone. I
> was expecting a rollover procedure.

Did you wait until the migration was complete? Everything needs to be 
omnipresent after the migration before you can making DNSSEC policy 
changes safely.

I noticed:

 >    - ds:             hidden

This means that from BIND's perspective the DS has not been published. 
Most likely because the other keys were not fully omnipresent yet.

If the DS is not published yet, or at least the migration has not 
reached this state yet, you can do anything with the DNSSEC records, 
because of the absence of a secure delegation

Best regards,

Matthijs


> BIND version is 9.18.12 (Debian Backports).
> 
> My question is, did I do something wrong? What would have been the
> right way to do it? I noticed that the DS state is "hidden" before and
> after the switch of the dnssec-policy but I found no way to change
> that.
> 
> Here is config and logs of the change:
> 
> Old and new policy are:
> 
> dnssec-policy "rsa" {
>      keys {
>          ksk key-directory lifetime unlimited algorithm rsasha256 2048;
>          zsk key-directory lifetime P60D algorithm rsasha256 1024;
>      };
> };
> 
> dnssec-policy "ecdsa-csk" {
>      keys {
>          csk key-directory lifetime unlimited algorithm 13;
>      };
> };
> 
> Zone definition is:
> 
> zone "sub.my.zone" {
>          type master;
>          file "/etc/bind/dynamic-zones/sub.my.zone/sub.my.zone";
>          allow-transfer { localhost; ns2; };
>          key-directory "/etc/bind/dynamic-zones/sub.my.zone";
>          dnssec-policy "ecdsa-csk";
>          parental-agents { 127.12.12.13; };
>          allow-update { key sub.my.zone_api.; };
> };
> 
> 
> Jun 02 13:26:19 alita named[1001022]: general: notice: zone sub.my.zone/IN/default: checkds: set 1 parentals
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: reconfiguring zone keys
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/54096 (ZSK)
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/56781 (ZSK)
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/13786 (KSK)
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) created for policy ecdsa-csk
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/56781 (ZSK) is now deleted
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/13786 (KSK) is now deleted
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: Fetching sub.my.zone/ECDSAP256SHA256/36745 (CSK) from key repository.
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now published
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now active
> Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: next key event: 02-Jun-2023 13:31:19.338
> Jun 02 13:26:19 alita named[1001022]: notify: info: zone sub.my.zone/IN/default: sending notifies (serial 2014014053)
> 
> DNSSEC status before:
> 
> dnssec-policy: rsa
> current time:  Fri Jun  2 13:23:54 2023
> 
> key: 54096 (RSASHA256), ZSK
>    published:      no
>    zone signing:   no
> 
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         hidden
>    - zone rrsig:     unretentive
> 
> key: 56781 (RSASHA256), ZSK
>    published:      yes - since Fri Jun  2 11:15:23 2023
>    zone signing:   yes - since Fri Jun  2 12:20:23 2023
> 
>    Next rollover scheduled on Tue Aug  1 10:15:23 2023
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - zone rrsig:     rumoured
> 
> key: 13786 (RSASHA256), KSK
>    published:      yes - since Wed Jan 22 22:42:33 2014
>    key signing:    yes - since Wed Jan 22 22:42:33 2014
> 
>    No rollover scheduled
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - ds:             hidden
>    - key rrsig:      omnipresent
> 
> 
> 
> DNSSEC status after:
> 
> dnssec-policy: ecdsa-csk
> current time:  Fri Jun  2 13:32:23 2023
> 
> key: 54096 (RSASHA256), ZSK
>    published:      no
>    zone signing:   no
> 
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         hidden
>    - ds:             hidden
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
> 
> key: 56781 (RSASHA256), ZSK
>    published:      no
>    zone signing:   no
> 
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         unretentive
>    - ds:             unretentive
>    - zone rrsig:     unretentive
>    - key rrsig:      unretentive
> 
> key: 36745 (ECDSAP256SHA256), CSK
>    published:      yes - since Fri Jun  2 13:26:19 2023
>    key signing:    yes - since Fri Jun  2 13:26:19 2023
>    zone signing:   yes - since Fri Jun  2 13:26:19 2023
> 
>    No rollover scheduled
>    - goal:           omnipresent
>    - dnskey:         rumoured
>    - ds:             hidden
>    - zone rrsig:     rumoured
>    - key rrsig:      rumoured
> 
> key: 13786 (RSASHA256), KSK
>    published:      no
>    key signing:    no
> 
>    Key has been removed from the zone
>    - goal:           hidden
>    - dnskey:         hidden
>    - ds:             hidden
>    - zone rrsig:     unretentive
>    - key rrsig:      hidden
> 
> 
> Best Regards
> 
> Sebastian
>

More information about the bind-users mailing list