Re: auto-dnssec sanity check (please)

Thu, 01 Oct 2015 16:06:36 -0700 

In message 
<CAGfsgR18n0ZaX0nXo=b3+xtr17zu+ac2y+l6uwqvqhps5np...@mail.gmail.com>, Jim 
Popovitch writes:
> Hello,
> 
> I recently rollled out auto-dnssec and inline-signing (v9.9.5), and
> today (1-Oct 00:00 UTC) was the first automatic zsk rollover.
> According to http://dnsviz.net/d/domainmail.org/dnssec/ it appears
> that the SOA is signed by the new zsk, but the rest of the RRs are
> still signed by the old.  That concerns me.   Is it as simple as
> cached responses?

Named re-signs RRsets as they fall due.  The key(s) that will sign
the set is determined by whether it is active or not at that point
in time.  Named does not re-sign the whole zone just because a key
became active.  As long as both the new and old keys are in the
DNSKEY RRet until the last RRset is re-signed and the old signature
have timed out of caches everything will validate.

Named's primary job is to answer queries.  It's secondary job is
to re-sign RRsets.  Re-signing to early is just wasting computing
resources and takes named away from its primary role.

A key rollover should looks like this:

        key1 PPPPP------------------------------------
        key2 SSSSSSPPPPPPPPPPPPPPPPPPPPPPPPP----------
        key3 -----PSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
        key4 -------------------------------PSSSSSSSSS
        sigs MMM222MMMMMMMMMMMMMMMMMMMMMMM333MMMMMMMMM

S = Signing and published
P = Publish only
- = does not exist in the zone
M = mixed signatures in the zone
2 = only keys2 signatures
3 = only keys3 signatures

> -Jim P.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to