I currently explore the new DNSKEY metadata and dnssec-signzone -S with BIND 9.7.0a3. This feature definitely helps making key management easier and will motivate more operators to sign their zones. Thank you for that.
For this test, I created a zone with one manually timed KSK, one active ZSK and another published ZSK with an activation date in the future. When I sign the zone from an unsigned zone file, dnssec-signzone works as expected and signs the records only with the active ZSK. Re-signing the signed zone file, however, also includes signatures from the passive ZSK, *unless* I remove the DNSKEY records from the zone file before signing. I guess this is due to the keys already in the signed zone file overriding the -S switch: | key | Specify which keys should be used to sign the zone. | If no keys are specified, then the zone will be examined for | DNSKEY records at the zone apex. If these are found and | there are matching private keys, in the current directory, | then these will be used for signing. (No "Fetching [...] from key repository" when re-signing) My question is: Is this the supposed behaviour (ie. keys already included in a zone don't have their metadata checked, so I would need to remove DNSKEY records), did I miss an option to pass to dnssec-signzone or is it likely to change for the next release? Hauke. dnssec-settime/signzone output: KSK: | Kkeyroll.dnstest.hauke-lampe.de.+005+07849.key | | Created: Wed Sep 16 04:23:39 2009 | Publish: UNSET | Activate: UNSET | Revoke: UNSET | Unpublish: UNSET | Delete: UNSET Active ZSK: | Kkeyroll.dnstest.hauke-lampe.de.+005+42630.key | | Created: Wed Sep 16 21:19:34 2009 | Publish: Wed Sep 16 21:19:34 2009 | Activate: Wed Sep 16 21:19:52 2009 | Delete: Tue Oct 13 21:19:34 2009 Passive ZSK: | Kkeyroll.dnstest.hauke-lampe.de.+005+07701.key | | Created: Wed Sep 16 21:21:35 2009 | Publish: Wed Sep 16 21:21:35 2009 | Activate: Tue Sep 29 21:21:35 2009 | Delete: Tue Oct 13 21:21:35 2009 Signing the zone from an unsigned zone file: | + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T 230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed db.keyroll | Fetching KSK 7849/RSASHA1 from key repository | Fetching ZSK 42630/RSASHA1 from key repository | Fetching ZSK 7701/RSASHA1 from key repository | dnssec-signzone: debug 1: decrement_reference: delete from rbt: 0xb7c83060 keyroll.dnstest.hauke-lampe.de | dnssec-signzone: debug 1: calling free_rbtdb(.) | dnssec-signzone: debug 1: done free_rbtdb(.) | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC: | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY: | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7849 | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA: | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS: | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | Verifying the zone using the following algorithms: RSASHA1. | Zone signing complete: | Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by | db.keyroll.signed | dnssec-signzone: debug 1: calling free_rbtdb(keyroll.dnstest.hauke-lampe.de) | dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de) Re-Signing: | + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T 230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed db.keyroll.signed | dnssec-signzone: debug 1: decrement_reference: delete from rbt: 0xb7c91060 keyroll.dnstest.hauke-lampe.de | dnssec-signzone: debug 1: calling free_rbtdb(.) | dnssec-signzone: debug 1: done free_rbtdb(.) | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 dropped - failed to verify | dnssec-signzone: resigning with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7701 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7701 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7701 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/7849 retained | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7701 | Verifying the zone using the following algorithms: RSASHA1. | Zone signing complete: | Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by | db.keyroll.signed | dnssec-signzone: debug 1: calling free_rbtdb(keyroll.dnstest.hauke-lampe.de) | dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de) Re-Signing with DNSKEY records removed: | + dnssec-signzone -v 3 -N unixtime -K rollkeys -e +4d -i 172800 -S -T 230042 -o keyroll.dnstest.hauke-lampe.de -f db.keyroll.signed db.keyroll.signed | Fetching KSK 7849/RSASHA1 from key repository | Fetching ZSK 42630/RSASHA1 from key repository | Fetching ZSK 7701/RSASHA1 from key repository | dnssec-signzone: debug 1: decrement_reference: delete from rbt: 0xb7bcb060 keyroll.dnstest.hauke-lampe.de | dnssec-signzone: debug 1: calling free_rbtdb(.) | dnssec-signzone: debug 1: done free_rbtdb(.) | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/DNSKEY: | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/7849 | dnssec-signzone: signing with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/SOA: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 dropped - failed to verify | dnssec-signzone: resigning with dnskey keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NS: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained | dnssec-signzone: keyroll.dnstest.hauke-lampe.de/NSEC: | dnssec-signzone: rrsig by keyroll.dnstest.hauke-lampe.de/RSASHA1/42630 retained | Verifying the zone using the following algorithms: RSASHA1. | Zone signing complete: | Algorithm: RSASHA1: ZSKs: 2, KSKs: 1 active, 0 revoked, 0 stand-by | db.keyroll.signed | dnssec-signzone: debug 1: calling free_rbtdb(keyroll.dnstest.hauke-lampe.de) | dnssec-signzone: debug 1: done free_rbtdb(keyroll.dnstest.hauke-lampe.de)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
