Hi Daniel,
This zone was signed before, prior to switching to 'dnssec-policy'? Or
did you enable DNSSEC by adding 'dnssec-policy'?
If you have them, would you be able to share with me (off list) the logs
and the key (state) files?
- Matthijs
On 23-12-2020 10:47, Daniel Stirnimann wrote:
Hello Matthijs,
I'm testing with version 9.16.9.
Ok, I'm more confused now.
For the current key rollover the DNSKEY RRset is not signed with both
the old key 6207 and the new key 15769 but only with the new key 15769.
The domain is now bogus:
https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/
rndc dnssec -status badware.ch
dnssec-policy: test
current time: Wed Dec 23 10:42:00 2020
key: 39414 (ECDSAP256SHA256), CSK
published: no
key signing: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: unretentive
- ds: unretentive
- zone rrsig: unretentive
- key rrsig: hidden
key: 6207 (ECDSAP256SHA256), CSK
published: yes - since Wed Dec 16 07:33:24 2020
key signing: no
zone signing: no
Key is retired, will be removed on Fri Jan 1 11:43:24 2021
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- zone rrsig: unretentive
- key rrsig: hidden
key: 15769 (ECDSAP256SHA256), CSK
published: yes - since Wed Dec 23 07:33:24 2020
key signing: yes - since Wed Dec 23 07:33:24 2020
zone signing: yes - since Wed Dec 23 09:38:24 2020
Next rollover scheduled on Wed Dec 30 07:33:24 2020
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- zone rrsig: rumoured
- key rrsig: omnipresent
Daniel
On 23.12.20 10:33, Matthijs Mekking wrote:
Hi Daniel,
With which specific 9.16 version are you testing? The first versions
used an unsafe time based rollover, assuming the DS would be published
withing a certain time. In 9.16.7 a new rndc command "rndc dnssec
-checkds" was introduced to tell BIND 9 that the DS for a given key has
been published.
Best regards,
Matthijs
On 23-12-2020 09:53, Daniel Stirnimann wrote:
Hi all,
I'm testing the key rollover behavior of BIND 9.16 with the new
introduced "dnssec-policy" statement.
The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states:
"At the time of this writing (mid-2020) BIND does not check for the
presence of a DS record in the parent zone before completing the KSK or
CSK rollover and withdrawing the old key. Instead, you need to use the
rndc tool to tell named that the DS record has been published."
The last sentence that one has to tell named that the DS record has been
published is not what I'm observing. My tests show that BIND continues
(finishes) the key rollover. The use of the rndc tool is not required.
Is this an error in the documentation?
dnsviz output of the test domain:
badware.ch signed with key 39414 but no trust anchor in .ch yet:
https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/
badware.ch DNSSEC boostrap completed (with trust anchor in .ch,
automatically picked up by CDS/CDNSKEY polling by the parent):
https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/
badware.ch key rollover from key 39414 to key 6207 in progress:
https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/
badware.ch previous key rollover finished. key 39414 is unused and will
be removed from the DNSKEY rrset soon. No "rndc" command has been used
to tell named to complete the key rollover.
Next key rollover started with the introduction of key 15769:
https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/
DNSSEC Policy:
dnssec-policy "test" {
keys {
csk key-directory lifetime 7d algorithm 13;
};
// Key timings
dnskey-ttl 3600;
publish-safety 1h;
retire-safety 1h;
// Zone parameters
max-zone-ttl 3600;
zone-propagation-delay 300;
// Parent parameters
parent-ds-ttl 1h;
parent-propagation-delay 1h;
};
Thank you,
Daniel
[1]
https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
