KSK signing incomplete

Tue, 20 May 2014 09:35:30 -0700 

Hi!

Using Bind 9.9.5.

I have some questions about the private records which indicate the
signing status. From my external key management and monitoring tool I
query the private records to get the signing status, e.g. if the signing
after a rollover is finished, if a key can be deleted from disk, ...

But sometimes I see that the KSK signing is incomplete (last octet=0).

As you can see, the KSK (63963, 0xF9DB) is used to sign the DNSKEYs:

# dig @83.136.34.28 DNSKEY +dnssec tld-box.com +multi
tld-box.com.            60 IN DNSKEY 257 3 7 (
                        AwEAAa3+Y3K0FTZkaLZqsERhGAHKjHOnCTO+hQMsj8yQ
                        Sw+U/tmplyHTy5zEG6T26G8aGHbS8fnrCGs0EPXKkiWJ
                        jfw+xRgiqbTJmT7o8LTd1CIHO+J4GbKXRV95EjoUH/P9
                        qfJTbcqjwWblkzhEDuSNilec1pnJ0uEMcN+7z3p7VcC3
                        H8uFPT2A2PhQ5OPDoGRym4HPkn2zL+hzpSboUeWGoAHw
                        zowuc1/Dt2nKUNoUzDECDZusWDdws9SG+g6CAMSxshvJ
                        haM0GKO9LdlMqkUrP2wdS6bomTM4gTvk2HFFLuzY+ZpX
                        kFkJSx1xjDN4iJxcDtxCpz53jPYaz3ObfbKRzBc=
                        ) ; KSK; alg = NSEC3RSASHA1; key id = 63963
tld-box.com.            60 IN DNSKEY 256 3 7 (
...
tld-box.com.            60 IN RRSIG DNSKEY 7 2 60 (
                        20140619162004 20140520152004 63963 tld-box.com.
                        Oywivr89OgqlJHeR6xOtzjTCsH90Jp4NivuC5W8jiGO4
                        aeWVZOZZhyZs/QkVifUCupjZ/uAlAyTNC1WNeKjej+4P
                        0A7a++p1U96CF0A1PIWblcNN7HbLv+0JGd6yddIHuNkF
                        ZseefyD2OzRMiKix+5u5xH1NavaOt8ggBPUSlpp/YOdL
                        UFIhoFwkCbAp4a7WYhMZZj+6gCk9RZAZXHo1EuFPtwt4
                        xd/tl4EK6i37yNxnimS1/KsHx6Gip0yQW0Qt6fOJsk79
                        laOmLm/xozgwH1CqNq4hjypoPib07m0Aot+7LKP5Svcy
                        +MfG7BLeNVfRqWPI3+ztWVjXZvp/Rlpdzg== )

But the private records indicate:
# dig @83.136.34.28 TYPE65534 tld-box.com
tld-box.com.            0       IN      TYPE65534 \# 5 071D960001
tld-box.com.            0       IN      TYPE65534 \# 5 07F9DB0000
tld-box.com.            0       IN      TYPE65534 \# 5 07213E0001

As the first octet is not 0, the last octet should indicate the signing
status: !=0 means "completed", which is not the case: 5 07F9DB0000

Same with rndc:
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1


What else should the KSK sign?

Also forcing resign does not change anything:

# rndc sign tld-box.com
# rndc signing -list tld-box.com
Done signing with key 7574/NSEC3RSASHA1
Done signing with key 8510/NSEC3RSASHA1
Signing with key 63963/NSEC3RSASHA1


So, why is the signing not finished? I would like to force Bind to
finish the signing so that my monitoring can reliable check the private
records.



Further, I see that sometimes there are no private records at all. When
does this happen? (I never called "rndc signing -clear") How can I force
Bind to always show the private records?

Thanks
Klaus



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to