KASP Key Rollover: ZSK Disappears Immediately

Nick Tait nick at tait.net.nz
Fri Sep 29 22:32:21 UTC 2023 

On 29/09/23 12:05, Eddie Rowe wrote:
> When I perform a ZSK key rollover the existing ZSK disappears 
> *immediately* so not sure what I am missing when using the KASP to 
> manage key rollover.  The state for the keys looks good and for this 
> test I have TTL set to 1 hour..  But why does dig not show me both 
> DNSKEY records for the ZSK after I initiate the rollover when there 
> should be overlap as described in Automatic DNSSEC Zone Signing Key 
> rollover explained (isc.org) <https://kb.isc.org/docs/aa-00822>?
>
> Bind 9.16.23 which seems to be the newest release provided by my 
> distribution.  I reviewed the ARM for notes for newer releases in the 
> 9.16 branch and did not see mention of any rollover bugs or for dig.
>
>  1.  Here is the key info from dig for ZSK key 15465 at 17:17.
>
>     # dig @localhost myexample.com DNSKEY +multi
>
>     ; <<>> DiG 9.16.23-RH <<>> @localhost myexample.com DNSKEY +multi
>     ; (2 servers found)
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41895
>     ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
>     ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 1232
>     ; COOKIE: 7c2a0e61926d2d3a010000006515fb68eef12b631ca40c20 (good)
>     ;; QUESTION SECTION:
>     ;myexample.com.         IN DNSKEY
>
>     ;; ANSWER SECTION:
>     myexample.com.          3600 IN DNSKEY 257 3 13 (
>         20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB
>         le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==
>         ) ; KSK; alg = ECDSAP256SHA256 ; key id = 31296
>     myexample.com.          3600 IN DNSKEY 256 3 13 (
>         AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq6
>         78nSI3DyM+1t91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
>                                     ) ; ZSK; alg = ECDSAP256SHA256 ;
>     key id = 15465
>
> ;; Query time: 3 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Sep 28 17:17:12 CDT 2023
> ;; MSG SIZE  rcvd: 230
>
>  3.  Here is the info from the key as far as state goes.
>
>     # more Kmyexample.com.+013+15465.key
>     ; This is a zone-signing key, keyid 15465, for myexample.com.
>     ; Created: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     ; Publish: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     ; Activate: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     ; Inactive: 20231127221438 (Mon Nov 27 16:14:38 2023)
>     ; Delete: 20231207231938 (Thu Dec  7 17:19:38 2023)
>     myexample.com. 3600 IN DNSKEY 256 3 13
>     AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t
>     91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
>
>     # more Kmyexample.com.+013+15465.state
>     ; This is the state of key 15465, for myexample.com.
>     Algorithm: 13
>     Length: 256
>     Lifetime: 5184000
>     KSK: no
>     ZSK: yes
>     Generated: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     Published: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     Active: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     Retired: 20231127221438 (Mon Nov 27 16:14:38 2023)
>     Removed: 20231207231938 (Thu Dec  7 17:19:38 2023)
>     DNSKEYChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     ZRRSIGChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
>     DNSKEYState: rumoured
>     ZRRSIGState: rumoured
>     GoalState: omnipresent
>
I suspect that the crucial detail above is "DNSKEYState: rumoured". This 
suggests that the last ZSK rollover hasn't been fully completed.


Before starting a rollover it is a good idea to make sure the ZSK that 
you are retiring is in an "omnipresent" state.


The usual reason that the key isn't in omnipresent state is because BIND 
is still waiting for the corresponding DS record to be published and 
available in the parent zone. BIND 9.16 only knows if the DS record is 
published if you've set up parental-agents, or if you've explicitly told 
it using rndc. (BTW BIND 9.19 introduces new default behaviour which 
means you don't need to set parental-agents in order for it to figure 
this out.)


Have a look here: 
https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover


Specifically:

    /If setting up a parental agent is undesirable, it is also possible
    to tell BIND that the DS is published in the parent with: /|rndc
    dnssec -checkds -key 12345 published dnssec.example.|
    <https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>/.
    and the DS for the predecessor key has been removed with: /|rndc
    dnssec -checkds -key 54321 withdrawn dnssec.example.|
    <https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>/.
    where 12345 and 54321 are the key tags of the successor and
    predecessor key, respectively./

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230930/72c519ae/attachment-0001.htm>

More information about the bind-users mailing list