Hi Holger, thanks, I just checked and can confirm your results, everything is fine now. No manual action done.
But when I look at the dnsviz.net's analysis, I see this http://dnsviz.net/d/microscopium.de/Ve0Nnw/dnssec/ 15 hours ago (analyzed 2015-09-07 04:07:59 UTC), and this http://dnsviz.net/d/microscopium.de/dnssec/ 4 hours ago (analyzed 2015-09-07 15:03:18 UTC). Your checks at Mon Sep 07 11:50:31 CEST 2015 are in between these two analyzes. Doesn't the first analysis show a double signed zone? However, I'll leave it like it is for now, and see what happens next week ;) Thanks again, Robert Am Montag, den 07.09.2015, 12:48 +0200 schrieb Holger Zuleger: > On 05.09.2015 11:53, Robert Senger wrote: > > Hi all, > > > > I am having trouble with the DNSSEC ZSK rollover for one of my zones. > > Key rollover for all zones was scheduled at Thursday September 3, > > 22:00:00 CEST. While everything worked well for most zones, one zone > > became double signed. Below I've pasted public keys for one good and for > > the double signed zone, and links to dnsviz.net that show what has > > happened. > > > > > Double signed zone: > > > > root@prokyon:/etc/bind# cat Kmicroscopium.de.+008+18903.key > > ; This is a zone-signing key, keyid 18903, for microscopium.de. > > ; Created: 20150827010002 (Thu Aug 27 03:00:02 2015) > > ; Publish: 20150827180000 (Thu Aug 27 20:00:00 2015) > > ; Activate: 20150827200000 (Thu Aug 27 22:00:00 2015) > > ; Inactive: 20150903200000 (Thu Sep 3 22:00:00 2015) > > ; Delete: 20150910200000 (Thu Sep 10 22:00:00 2015) > > microscopium.de. IN DNSKEY 256 3 8 > > AwEAAcH+5fi77XDBXYagvneBQNiPGGrohgXXf5t0DY1+rt6GUzBkEIle > > QdonDdjWmyHoANUZ/VStOgpZJFGQrp3LxtgtvZZbFq9EfQ4waMWQWY36 > > pxhDyac1X72dm3Eb+378GnR8SeIT+/NJDOEr9+yWrOd/FEM7le3JJyV5 > > qQrgP70R9QsMHRbttOJxd0qAHWod/vrY3uegx54i3REVpZwtxS3nhuUl > > kqxMbILTFiDV6LpI4bAasTc7Es08vs2op0fy/wT36x0ma2SttgWDOL+e > > jLqgWF5qiMYqrXScggPOTTaMiW0rPBKntpqkifl0G56IOOKAkVzqk4ME C3Ve3tBcY0M= > > root@prokyon:/etc/bind# cat Kmicroscopium.de.+008+03234.key > > ; This is a zone-signing key, keyid 3234, for microscopium.de. > > ; Created: 20150903110745 (Thu Sep 3 13:07:45 2015) > > ; Publish: 20150903180000 (Thu Sep 3 20:00:00 2015) > > ; Activate: 20150903200000 (Thu Sep 3 22:00:00 2015) > > ; Inactive: 20150910200000 (Thu Sep 10 22:00:00 2015) > > ; Delete: 20150917200000 (Thu Sep 17 22:00:00 2015) > > microscopium.de. IN DNSKEY 256 3 8 > > AwEAAdT8E9n/mCorGHF4u4GBJnQ+4QzRDXQlhZjCLhRCxNAVWKaaLBYJ > > Vzx0uvtc8/W7+wX/Sax/S5EK1ym/74tzXH7q323t8gLEt78ZERHF5zEU > > DAvGEa+/Evf/h1M72FLOFjVpAhHfSc3JKfUYi8hrws7kZ4twMsEIepso > > dSMfa9N7WpQPkfjIAaY/kSxVcapCvKzmleiSU1Q2hRvduOwfTjE90xxg > > OfGzA7C+sCIT09pqtemluzYdOs1NaONrkaUD3ad+InqAne/a8xhnjZfD > > Nz57oxaYsffgiMahUVNTzMZukLbn30soRatdGEgEFmYvpSrrgDX3ceu3 3sNSzDhwIKE= > I'm pretty much sure that this zone is *not* double signed. > Using dig I'm getting this: > > $ dig +dnssec +multi +nocrypto soa microscopium.de > > ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +multi +nocrypto soa microscopium.de > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6796 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1460 > ; COOKIE: c8bb9ae44c57653ceb701b8b55ed5cfb6c8039aa6b918c0e (good) > ;; QUESTION SECTION: > ;microscopium.de. IN SOA > > ;; ANSWER SECTION: > microscopium.de. 3453 IN SOA mydnssec.eu. hostmaster.microscopium.de. ( > 2015082120 ; serial > 14400 ; refresh (4 hours) > 3600 ; retry (1 hour) > 604800 ; expire (1 week) > 3600 ; minimum (1 hour) > ) > microscopium.de. 3453 IN RRSIG SOA 8 2 3600 ( > 20150914082528 20150907072528 3234 > microscopium.de. > [omitted] ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.1.1#53(127.0.1.1) > ;; WHEN: Mon Sep 07 11:46:35 CEST 2015 > ;; MSG SIZE rcvd: 433 > > > So the key used for signing "regular" RR sets is the one with tag 3234. > > > $ dig +dnssec +multi +nocrypto dnskey microscopium.de > > ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +multi +nocrypto dnskey > microscopium.de > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32278 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1460 > ; COOKIE: 4e815a77f7ec0e42e149deeb55ed5de727d5ab9235815cf7 (good) > ;; QUESTION SECTION: > ;microscopium.de. IN DNSKEY > > ;; ANSWER SECTION: > microscopium.de. 3096 IN DNSKEY 256 3 8 ( > [key id = 18903] > ) ; ZSK; alg = RSASHA256; key id = 18903 > microscopium.de. 3096 IN DNSKEY 256 3 8 ( > [key id = 3234] > ) ; ZSK; alg = RSASHA256; key id = 3234 > microscopium.de. 3096 IN DNSKEY 257 3 8 ( > [key id = 29764] > ) ; KSK; alg = RSASHA256; key id = 29764 > microscopium.de. 3096 IN RRSIG DNSKEY 8 2 3600 ( > 20150911105838 20150904095838 3234 > microscopium.de. > [omitted] ) > microscopium.de. 3096 IN RRSIG DNSKEY 8 2 3600 ( > 20150911105838 20150904095838 29764 > microscopium.de. > [omitted] ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.1.1#53(127.0.1.1) > ;; WHEN: Mon Sep 07 11:50:31 CEST 2015 > ;; MSG SIZE rcvd: 2018 > > > The keyset itself is signed by the ZSK with tag 3234 and the KSK with > tag 29764. > > The old ZSK with tag 18903 is still in the zone but this is the correct > behavior of a Pre-Publish (zone)signing key rollover. > > I guess you have to wait another 3 days before the old ZSK is removed > from the DNSKEY set. > > Regards > Holger > > -- Robert Senger _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
