Am 05.08.2015 um 06:15 schrieb Mark Andrews: > In message <mpnvch$du9$1...@news.albasani.net>, Heiko Richter writes: >> Hi! >> >> I'm hoping someone here can help me with a problem in my DNSSec >> configuration. >> >> I'm running Bind 9 in Debian Jessie and just finished configuring it >> with DNSSec for my zones. Everything including automatic key rollover >> for the ZSKs is working, except for a slight anomaly with my KSKs: >> >> For some reason the KSK isn't only used to sign the ZSKs, but also to >> sign the zone. My server obviously signs the "normal" records with the >> ZSK and the KSK as you can see on this diagnostic site: >> http://dnsviz.net/d/heikorichter.org/dnssec/ >> >> Strangely for the TLD and the root zone the same flags are set on their >> keys (257 for KSK and 256 for ZSK) and their servers seem to do it >> right. Their KSKs are only signing the ZSK and their ZSKs are used to >> sign the zone. >> >> How can I force Bind to that same behaviour? >> >> Here is my Options-Clause: >> options { >> allow-query { >> any; >> }; >> allow-recursion { >> loopback; >> v1; >> v2; >> }; >> auth-nxdomain no; >> directory "/var/cache/bind"; >> disable-empty-zone yes; >> dnssec-enable yes; >> dnssec-validation yes; >> edns-udp-size 1460; >> empty-zones-enable no; >> forwarders { }; >> hostname "v1.heikorichter.org"; >> ixfr-from-differences no; >> listen-on { >> any; >> }; >> listen-on-v6 { >> any; >> }; >> max-refresh-time 7200; >> max-retry-time 1800; >> max-udp-size 1460; >> min-refresh-time 900; >> min-retry-time 600; >> minimal-responses no; >> notify yes; >> preferred-glue AAAA; >> provide-ixfr no; >> random-device "/dev/urandom"; >> recursion yes; >> request-ixfr no; >> rrset-order { >> order random; >> }; >> server-id "v1.heikorichter.org"; >> sig-validity-interval 2400; >> statistics-file "/etc/bind/stats"; >> transfer-format one-answer; >> version "Get Lost Pal"; >> zone-statistics yes; >> }; >> >> Command used to generate the KSK: >> dnssec-keygen -r /dev/urandom -f KSK -a ECDSAP384SHA384 \ >> -P now -A +100 -R none -I none -D none \ >> -K /etc/bind/dyn/heikorichter.org heikorichter.org >> >> Command used to generate the ZSK: >> dnssec-keygen -r /dev/urandom -3 -a ECDSAP256SHA256 \ >> -P +2592000 -A +2678400 -R none -I +5443200 -D +5529600 \ >> -K /etc/bind/dyn/heikorichter.org heikorichter.org > > Well you are using 2 algorithms (ECDSAP256SHA256 and ECDSAP384SHA384) > and you only have a single key per algorithm so named signs all the > RRsets in the zone with both keys. > >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users
Thanks for the advice, didn't know KSK and ZSK ahd to be the same algorithm. My original thought was use a stronger algorithm for the KSK as it doesn't get rolled over that often. Anyhow, I changed it now and everything works find. Thanks! _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
