KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive Keys Disappear?)
Eddie Rowe
Eddie.Rowe at werdev.com
Thu Oct 19 23:46:08 UTC 2023
Thank you for your kind reply - BIND is too smart for me! I can confirm that when you use a CSK key that letting BIND know that the key has been published ("rndc dnssec -keyid value -checkds published zone") resolves the issue with a CSK rollover which I tried since I had issues with ZSKs doing the same thing.
The same solution does not seem to impact a ZSK rollover which baffles me. Are there any other considerations for when BIND might rollover a ZSK sooner than I expected?
I waited until ZSK was omnipresent and as soon as I run the rollover command the old key disappears (3 hour TTL) and my test zone is immediately resigned with the new ZSK. Rollover was about 30 minutes ago and current time is 18:40 on Oct 19...info shows that the original ZSK should be still active but it is not.
Original ZSK Key
# cat *43876*.state
; This is the state of key 43876, for myexample2.com.
Algorithm: 13
Length: 256
Lifetime: 17702
Successor: 5264
KSK: no
ZSK: yes
Generated: 20231019202240 (Thu Oct 19 15:22:40 2023)
Published: 20231019202240 (Thu Oct 19 15:22:40 2023)
Active: 20231019202240 (Thu Oct 19 15:22:40 2023)
Retired: 20231020011742 (Thu Oct 19 20:17:42 2023)
Removed: 20231030022242 (Sun Oct 29 21:22:42 2023)
DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
New ZSK Key
# cat *5264*.state
; This is the state of key 5264, for myexample2.com.
Algorithm: 13
Length: 256
Lifetime: 5184000
Predecessor: 43876
KSK: no
ZSK: yes
Generated: 20231019231242 (Thu Oct 19 18:12:42 2023)
Published: 20231019231242 (Thu Oct 19 18:12:42 2023)
Active: 20231020011742 (Thu Oct 19 20:17:42 2023)
Retired: 20231219011742 (Mon Dec 18 19:17:42 2023)
Removed: 20231229022242 (Thu Dec 28 20:22:42 2023)
DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
# dig @localhost myexample2.com DNSKEY +multi
; <<>> DiG 9.16.23-RH <<>> @localhost myexample2.com DNSKEY +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cb17dbf88eab8fab010000006531b7fe20a031be5b4fab07 (good)
;; QUESTION SECTION:
;myexample2.com. IN DNSKEY
;; ANSWER SECTION:
myexample2.com. 3600 IN DNSKEY 257 3 13 (
N7XVBtoat8ebr4jYDczH6cb/6WLJCYJ+A2h+wmQXh/Am
F21xZsZ5awToRz6pC3Z11m1q1fOxN+JKa3x4xQOPIA==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 28233
myexample2.com. 3600 IN DNSKEY 256 3 13 (
fInt/iKpWoqsQdIpninExDUyOUZCgM/tGl3I5vgoogpK
ivBEwi9FRRUSMYpTY+etEWXGwSdm7jkHowrhjWz3ZQ==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 5264
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 19 18:13:02 CDT 2023
;; MSG SIZE rcvd: 231
________________________________
From: Mark Andrews <marka at isc.org>
Sent: Sunday, October 8, 2023 8:11 PM
To: Eddie Rowe <Eddie.Rowe at werdev.com>
Cc: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: Re: KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive Keys Disappear?)
>Given the parent zone doesn’t have DS records for the zone and there is no >private trust anchor published,
>there is no harm in changing the DNSKEYs immediately. Try again and this time >tell named that there are
>DS records published for the zone.
> rndc dnssec -keyid value -checkds published zone
>This is also how you tell named about private trust anchors which are equivalent >to publishing DS records
>in the parent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231019/31515fc6/attachment-0001.htm>
More information about the bind-users
mailing list