KASP Key Rollover: ZSK Disappears Immediately
Eddie Rowe
Eddie.Rowe at werdev.com
Thu Sep 28 23:05:07 UTC 2023
When I perform a ZSK key rollover the existing ZSK disappears immediately so not sure what I am missing when using the KASP to manage key rollover. The state for the keys looks good and for this test I have TTL set to 1 hour.. But why does dig not show me both DNSKEY records for the ZSK after I initiate the rollover when there should be overlap as described in Automatic DNSSEC Zone Signing Key rollover explained (isc.org)<https://kb.isc.org/docs/aa-00822>?
Bind 9.16.23 which seems to be the newest release provided by my distribution. I reviewed the ARM for notes for newer releases in the 9.16 branch and did not see mention of any rollover bugs or for dig.
1. Here is the key info from dig for ZSK key 15465 at 17:17.
# dig @localhost myexample.com DNSKEY +multi
; <<>> DiG 9.16.23-RH <<>> @localhost myexample.com DNSKEY +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41895
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7c2a0e61926d2d3a010000006515fb68eef12b631ca40c20 (good)
;; QUESTION SECTION:
;myexample.com. IN DNSKEY
;; ANSWER SECTION:
myexample.com. 3600 IN DNSKEY 257 3 13 (
20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB
le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 31296
myexample.com. 3600 IN DNSKEY 256 3 13 (
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq6
78nSI3DyM+1t91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 15465
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 28 17:17:12 CDT 2023
;; MSG SIZE rcvd: 230
1. Here is the info from the key as far as state goes.
# more Kmyexample.com.+013+15465.key
; This is a zone-signing key, keyid 15465, for myexample.com.
; Created: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Publish: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Activate: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Inactive: 20231127221438 (Mon Nov 27 16:14:38 2023)
; Delete: 20231207231938 (Thu Dec 7 17:19:38 2023)
myexample.com. 3600 IN DNSKEY 256 3 13 AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t 91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
# more Kmyexample.com.+013+15465.state
; This is the state of key 15465, for myexample.com.
Algorithm: 13
Length: 256
Lifetime: 5184000
KSK: no
ZSK: yes
Generated: 20230928221438 (Thu Sep 28 17:14:38 2023)
Published: 20230928221438 (Thu Sep 28 17:14:38 2023)
Active: 20230928221438 (Thu Sep 28 17:14:38 2023)
Retired: 20231127221438 (Mon Nov 27 16:14:38 2023)
Removed: 20231207231938 (Thu Dec 7 17:19:38 2023)
DNSKEYChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
ZRRSIGChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
1. Ran rollover at 17:22.
# rndc dnssec -rollover -key 15465 myexample.com
Key 15465: Rollover scheduled on 28-Sep-2023 17:22:35.000
5. Ran dig at 17:22 and it now just shows the new ZSK 3913! Where did the prior ZSK go (15465)?
# dig @localhost myexample.com DNSKEY +multi
; <<>> DiG 9.16.23-RH <<>> @localhost myexample.com DNSKEY +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21486
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 419494d5cbae21fd010000006515fcb383972461377bf329 (good)
;; QUESTION SECTION:
;myexample.com. IN DNSKEY
;; ANSWER SECTION:
myexample.com. 3600 IN DNSKEY 257 3 13 (
20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB
le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 31296
myexample.com. 3600 IN DNSKEY 256 3 13 (
FdOW/okezOBOscx4/E4UfaSBkgK9tsnUZ8dvV5AZKMeH
jdH/jtYfASaeyrVYfclPsFuW5dLO7CU86vIplYKpEg==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 3913
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 28 17:22:43 CDT 2023
;; MSG SIZE rcvd: 230
6. The key state for the original ZSK (15465) has been updated and looks like it is set to become inactive at 19:27 which is what I expect based on my TTL of 60 minutes. The new key (03913) shows that it will be active at 19:27 which looks correct.
# more Kmyexample.com.+013+15465.key
; This is a zone-signing key, keyid 15465, for myexample.com.
; Created: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Publish: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Activate: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Inactive: 20230929002735 (Thu Sep 28 19:27:35 2023)
; Delete: 20231009013235 (Sun Oct 8 20:32:35 2023)
myexample.com. 3600 IN DNSKEY 256 3 13 AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t 91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
# more Kmyexample.com.+013+15465.state
; This is the state of key 15465, for myexample.com.
Algorithm: 13
Length: 256
Lifetime: 7977
Successor: 3913
KSK: no
ZSK: yes
Generated: 20230928221438 (Thu Sep 28 17:14:38 2023)
Published: 20230928221438 (Thu Sep 28 17:14:38 2023)
Active: 20230928221438 (Thu Sep 28 17:14:38 2023)
Retired: 20230929002735 (Thu Sep 28 19:27:35 2023)
Removed: 20231009013235 (Sun Oct 8 20:32:35 2023)
DNSKEYChange: 20230928222235 (Thu Sep 28 17:22:35 2023)
ZRRSIGChange: 20230928222235 (Thu Sep 28 17:22:35 2023)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
# more Kmyexample.com.+013+03913.key
; This is a zone-signing key, keyid 3913, for myexample.com.
; Created: 20230928222235 (Thu Sep 28 17:22:35 2023)
; Publish: 20230928222235 (Thu Sep 28 17:22:35 2023)
; Activate: 20230929002735 (Thu Sep 28 19:27:35 2023)
; Inactive: 20231128002735 (Mon Nov 27 18:27:35 2023)
; Delete: 20231208013235 (Thu Dec 7 19:32:35 2023)
myexample.com. 3600 IN DNSKEY 256 3 13 FdOW/okezOBOscx4/E4UfaSBkgK9tsnUZ8dvV5AZKMeHjdH/jtYfASae yrVYfclPsFuW5dLO7CU86vIplYKpEg==
# more Kmyexample.com.+013+03913.state
; This is the state of key 3913, for myexample.com.
Algorithm: 13
Length: 256
Lifetime: 5184000
Predecessor: 15465
KSK: no
ZSK: yes
Generated: 20230928222235 (Thu Sep 28 17:22:35 2023)
Published: 20230928222235 (Thu Sep 28 17:22:35 2023)
Active: 20230929002735 (Thu Sep 28 19:27:35 2023)
Retired: 20231128002735 (Mon Nov 27 18:27:35 2023)
Removed: 20231208013235 (Thu Dec 7 19:32:35 2023)
DNSKEYChange: 20230928222235 (Thu Sep 28 17:22:35 2023)
ZRRSIGChange: 20230928222235 (Thu Sep 28 17:22:35 2023)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
My policy:
dnssec-policy "my-default" {
keys {
zsk key-directory lifetime P60D algorithm ecdsap256sha256;
ksk key-directory lifetime unlimited algorithm ecdsap256sha256;
};
// Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
purge-keys P90D;
retire-safety PT1H;
// Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
// Zone parameters
max-zone-ttl P1D;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
zone-propagation-delay PT5M;
};
Zone file:
# cat /var/named/myexample.com.db
$ORIGIN myexample.com.
$TTL 60m
@ IN SOA ns01.myexample.com. postmaster.myexample.com. (
15 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 hour
@ IN NS ns01.myexample.com.
ns01 IN A 10.1.2.3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230928/dd939c9e/attachment-0001.htm>
More information about the bind-users
mailing list