In message <mpnvch$du9$1...@news.albasani.net>, Heiko Richter writes: > Hi! > > I'm hoping someone here can help me with a problem in my DNSSec > configuration. > > I'm running Bind 9 in Debian Jessie and just finished configuring it > with DNSSec for my zones. Everything including automatic key rollover > for the ZSKs is working, except for a slight anomaly with my KSKs: > > For some reason the KSK isn't only used to sign the ZSKs, but also to > sign the zone. My server obviously signs the "normal" records with the > ZSK and the KSK as you can see on this diagnostic site: > http://dnsviz.net/d/heikorichter.org/dnssec/ > > Strangely for the TLD and the root zone the same flags are set on their > keys (257 for KSK and 256 for ZSK) and their servers seem to do it > right. Their KSKs are only signing the ZSK and their ZSKs are used to > sign the zone. > > How can I force Bind to that same behaviour? > > Here is my Options-Clause: > options { > allow-query { > any; > }; > allow-recursion { > loopback; > v1; > v2; > }; > auth-nxdomain no; > directory "/var/cache/bind"; > disable-empty-zone yes; > dnssec-enable yes; > dnssec-validation yes; > edns-udp-size 1460; > empty-zones-enable no; > forwarders { }; > hostname "v1.heikorichter.org"; > ixfr-from-differences no; > listen-on { > any; > }; > listen-on-v6 { > any; > }; > max-refresh-time 7200; > max-retry-time 1800; > max-udp-size 1460; > min-refresh-time 900; > min-retry-time 600; > minimal-responses no; > notify yes; > preferred-glue AAAA; > provide-ixfr no; > random-device "/dev/urandom"; > recursion yes; > request-ixfr no; > rrset-order { > order random; > }; > server-id "v1.heikorichter.org"; > sig-validity-interval 2400; > statistics-file "/etc/bind/stats"; > transfer-format one-answer; > version "Get Lost Pal"; > zone-statistics yes; > }; > > Command used to generate the KSK: > dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \ > -P now -A +100 -R none -I none -D none \ > -K /etc/bind/dyn/heikorichter.org heikorichter.org > > Command used to generate the ZSK: > dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \ > -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \ > -K /etc/bind/dyn/heikorichter.org heikorichter.org
Well you are using 2 algorithms (ECDSAP256SHA256 and ECDSAP384SHA384) and you only have a single key per algorithm so named signs all the RRsets in the zone with both keys. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
