I have a couple of zones which I want to migrate from CLI-driven signing to BIND9 automatic signing, while avoiding any change to the respective parent-zone DS RR.
Status quo ante: - https://dnsviz.net/d/no8.be/dnssec/ separate KSK, ZSK; both using alg 13 - https://dnsviz.net/d/jamm.ie/dnssec/ 2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8 Preparation: - Set up minimal stand-alone instance of BIND9 named, configured with a **dnssec-policy** for each algorithm, matching properties of existing DNSSEC keys, and with `lifetime unlimited`; - Deliver current key files and recently-signed copy of zone files to this instance. Expected behaviour on starting named: - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other keys for each zone are accepted and retained; - A CDS RR is generated for each zone, matching the current DS RR. Observed behaviour: - `named -v` shows `BIND 9.18.8 (Stable Release) <id:35f5d35>`; - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained; - A CDS RR is published for jamm.ie, matching the current DS RR; - ECDSAP256SHA256 keys (for no8.be) are not accepted; - New ECDSAP256SHA256 keys are created for no8.be; - No CDS RR is generated for no8.be. Unless I'm missing something, there seems to be a discrepancy according to key type between the handling of RSA/SHA-256 and ECDSAP256SHA256 keys respectively. /Niall
// Based on https://bind9.readthedocs.io/en/latest/chapter3.html#primary-authoritative-name-server // authoritative primary named.conf file // options clause defining the server-wide properties options { // all relative paths use this directory as a base directory "/usr/local/var/named"; listen-on { 127.0.0.1; }; listen-on-v6 { ::1; }; allow-query { 127.0.0.1; ::1; }; allow-query-cache { none; }; recursion no; }; // logging clause // log to /var/log/named/example.log all events from info UP in severity (no debug) // uses 3 files in rotation swaps files when size reaches 250K // failure messages that occur before logging is established are // in syslog (/var/log/messages) // logging { channel example_log { // uses a relative path name and the directory statement to // expand to /var/log/named/example.log file "example.log" versions 3 size 250k; // only log info and up messages - all others discarded severity info; }; category default { example_log; }; }; acl local-requesters { localhost; }; dnssec-policy "persistent-rsasha256" { keys { ksk lifetime unlimited algorithm rsasha256; zsk lifetime unlimited algorithm rsasha256 1024; }; }; dnssec-policy "persistent-ecdsa256" { keys { ksk lifetime unlimited algorithm 13; zsk lifetime unlimited algorithm 13; }; }; // We are a standalone test server for jamm.ie zone "jamm.ie" { type primary; update-policy local; file "jamm.ie/db.jamm.ie"; key-directory "jamm.ie/"; masterfile-format text; dnssec-policy persistent-rsasha256; notify explicit; allow-transfer { local-requesters; }; }; // We are a standalone test server for no8.be zone "no8.be" { type primary; update-policy local; file "no8.be/db.no8.be"; key-directory "no8.be/"; masterfile-format text; dnssec-policy persistent-ecdsa256; notify explicit; allow-transfer { local-requesters; }; };
managed-keys-zone: loaded serial 0 zone no8.be/IN: loaded serial 2022110700 (DNSSEC signed) zone jamm.ie/IN: loaded serial 2022110700 (DNSSEC signed) zone no8.be/IN: reconfiguring zone keys keymgr: DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) created for policy persistent-ecdsa256 keymgr: DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) created for policy persistent-ecdsa256 Fetching no8.be/ECDSAP256SHA256/42593 (KSK) from key repository. DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now published DNSKEY no8.be/ECDSAP256SHA256/42593 (KSK) is now active Fetching no8.be/ECDSAP256SHA256/5030 (ZSK) from key repository. DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now published DNSKEY no8.be/ECDSAP256SHA256/5030 (ZSK) is now active zone no8.be/IN: next key event: 07-Nov-2022 12:17:13.995 zone jamm.ie/IN: reconfiguring zone keys keymgr: retire DNSKEY jamm.ie/RSASHA256/3078 (ZSK) DNSKEY jamm.ie/RSASHA256/17103 (ZSK) is now active Removing expired key 3078/RSASHA256 from DNSKEY RRset. DNSKEY jamm.ie/RSASHA256/3078 (ZSK) is now deleted CDS for key jamm.ie/RSASHA256/47680 is now published CDNSKEY for key jamm.ie/RSASHA256/47680 is now published zone jamm.ie/IN: next key event: 07-Nov-2022 10:17:14.023 all zones loaded running managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period. resolver priming query complete: success zone jamm.ie/IN: reconfiguring zone keys zone jamm.ie/IN: next key event: 07-Nov-2022 11:17:14.026 zone jamm.ie/IN: reconfiguring zone keys zone jamm.ie/IN: next key event: 07-Nov-2022 12:17:14.028
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
