Hi Thomas,
Your policy requests four keys in two algorithms: rsasha1 and
ecdsap256sha256. The keys that are being retired are of algorithm
rsasha256. Because the existing algorithms don't match the policy, they
are being retired.
In other words, it doesn't look like the existing keys were of algorithm
rsasha1.
Also keep in mind that if the configured length of the keys in
dnssec-policy don't match the existing keys, the existing keys will also
be retired.
Best regards,
Matthijs
On 15-01-2021 11:49, von Dein, Thomas wrote:
Howdy,
I have a domain which is being signed automatically using auto-dnssec on an
older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a
more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could
switch to dnssec-policy, however if I change the algorithm, it immediately
drops the old keys instead of retiring them. I didn't find any hint in the docs
or on the net how to do this.
So this was the old config:
zone "customer.bank" in {
type master;
file "zone/master/customer.bank";
key-directory "/usr/local/etc/namedb/zone/keys";
auto-dnssec maintain;
inline-signing yes;
dnssec-dnskey-kskonly yes;
};
Now after upgrading I changed it to:
dnssec-policy "eval" {
keys {
ksk lifetime 2d algorithm rsasha1;
zsk lifetime 2d algorithm rsasha1;
ksk lifetime 365d algorithm ecdsap256sha256;
zsk lifetime 60d algorithm ecdsap256sha256;
};
};
zone "helaba.bank" in {
type master;
file "zone/master/helaba.bank";
key-directory "/usr/local/etc/namedb/zone/keys";
dnssec-policy "eval";
};
My idea was to retire the rsasha1 keys after 2 days and then replace them with
the newly generated ones. However, this is what bind actually did:
15-Jan-2021 11:20:46.036 zoneload: zone customer.bank/IN (unsigned): loaded
serial 2020100500
15-Jan-2021 11:20:46.042 zoneload: zone customer.bank/IN (signed): loaded
serial 2020100551 (DNSSEC signed)
15-Jan-2021 11:20:46.049 general: zone customer.bank/IN (signed):
receive_secure_serial: unchanged
15-Jan-2021 11:20:46.297 notify: zone customer.bank/IN (signed): sending
notifies (serial 2020100551)
15-Jan-2021 11:20:46.297 dnssec: zone customer.bank/IN (signed): reconfiguring
zone keys
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY
customer.bank/RSASHA256/31284 (ZSK)
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY
customer.bank/RSASHA256/39364 (KSK)
15-Jan-2021 11:20:46.664 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/14477
(KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/61258
(ZSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY
customer.bank/ECDSAP256SHA256/41200 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY
customer.bank/ECDSAP256SHA256/55282 (ZSK) created for policy eval
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/31284 (ZSK) is
now deleted
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/39364 (KSK) is
now deleted
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/14477 (KSK)
from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is
now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is
now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/61258 (ZSK)
from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is
now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is
now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/41200
(KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200
(KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200
(KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/55282
(ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282
(ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282
(ZSK) is now active
15-Jan-2021 11:20:46.985 dnssec: zone customer.bank/IN (signed): next key
event: 15-Jan-2021 13:20:46.297
15-Jan-2021 11:20:51.305 notify: zone customer.bank/IN (signed): sending
notifies (serial 2020100558)
In fact it created 2 new key pairs, one for rsasha1 and one for ecdsap256sha256.
I am pretty sure my setup is invalid somehow.
So how could I configure bind so that it keeps the existing rsasha1 keys for a
while and use the new ones only afterwards?
Best regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
