Sorry I just realised that all that waffle about DS records is only
relevant for KSKs (and CSKs), not ZSKs. So please disregard that. :-P
But I think the "rumoured" vs. "omnipresent" thing is still relevant and
is the most likely explanation for why the old ZSK doesn't stick around.
I can only assume that the reason you have rumoured state is because you
are trying to roll your ZSK to soon after the previous ZSK rollover?
Have you checked the various timing settings in the KASP definition?
Nick.
On 30/09/23 11:32, Nick Tait via bind-users wrote:
On 29/09/23 12:05, Eddie Rowe wrote:
When I perform a ZSK key rollover the existing ZSK disappears
*immediately* so not sure what I am missing when using the KASP to
manage key rollover. The state for the keys looks good and for this
test I have TTL set to 1 hour.. But why does dig not show me both
DNSKEY records for the ZSK after I initiate the rollover when there
should be overlap as described in Automatic DNSSEC Zone Signing Key
rollover explained (isc.org) <https://kb.isc.org/docs/aa-00822>?
Bind 9.16.23 which seems to be the newest release provided by my
distribution. I reviewed the ARM for notes for newer releases in the
9.16 branch and did not see mention of any rollover bugs or for dig.
1. Here is the key info from dig for ZSK key 15465 at 17:17.
# dig @localhost myexample.com DNSKEY +multi
; <<>> DiG 9.16.23-RH <<>> @localhost myexample.com DNSKEY +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41895
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7c2a0e61926d2d3a010000006515fb68eef12b631ca40c20 (good)
;; QUESTION SECTION:
;myexample.com. IN DNSKEY
;; ANSWER SECTION:
myexample.com. 3600 IN DNSKEY 257 3 13 (
20agIXl9sQCo00yiHHviYWZG8TvVmDoVxPJwO3mlcwxB
le7UNrzNQaeukC6teT4XrqYflqDxcM6d9L/mtREIKA==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 31296
myexample.com. 3600 IN DNSKEY 256 3 13 (
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq6
78nSI3DyM+1t91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
) ; ZSK; alg = ECDSAP256SHA256 ;
key id = 15465
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 28 17:17:12 CDT 2023
;; MSG SIZE rcvd: 230
3. Here is the info from the key as far as state goes.
# more Kmyexample.com.+013+15465.key
; This is a zone-signing key, keyid 15465, for myexample.com.
; Created: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Publish: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Activate: 20230928221438 (Thu Sep 28 17:14:38 2023)
; Inactive: 20231127221438 (Mon Nov 27 16:14:38 2023)
; Delete: 20231207231938 (Thu Dec 7 17:19:38 2023)
myexample.com. 3600 IN DNSKEY 256 3 13
AlKXH5aebvboC4laAovc6wfg6uGK1uTbTqYYnhKadSq678nSI3DyM+1t
91jqQ81tlBy+e3hJyKtlX/OiOhuZcA==
# more Kmyexample.com.+013+15465.state
; This is the state of key 15465, for myexample.com.
Algorithm: 13
Length: 256
Lifetime: 5184000
KSK: no
ZSK: yes
Generated: 20230928221438 (Thu Sep 28 17:14:38 2023)
Published: 20230928221438 (Thu Sep 28 17:14:38 2023)
Active: 20230928221438 (Thu Sep 28 17:14:38 2023)
Retired: 20231127221438 (Mon Nov 27 16:14:38 2023)
Removed: 20231207231938 (Thu Dec 7 17:19:38 2023)
DNSKEYChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
ZRRSIGChange: 20230928221438 (Thu Sep 28 17:14:38 2023)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
I suspect that the crucial detail above is "DNSKEYState: rumoured".
This suggests that the last ZSK rollover hasn't been fully completed.
Before starting a rollover it is a good idea to make sure the ZSK that
you are retiring is in an "omnipresent" state.
The usual reason that the key isn't in omnipresent state is because
BIND is still waiting for the corresponding DS record to be published
and available in the parent zone. BIND 9.16 only knows if the DS
record is published if you've set up parental-agents, or if you've
explicitly told it using rndc. (BTW BIND 9.19 introduces new default
behaviour which means you don't need to set parental-agents in order
for it to figure this out.)
Have a look here:
https://bind9.readthedocs.io/en/latest/chapter5.html#key-rollover
Specifically:
/If setting up a parental agent is undesirable, it is also
possible to tell BIND that the DS is published in the parent with:
/|rndc dnssec -checkds -key 12345 published dnssec.example.|
<https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>/.
and the DS for the predecessor key has been removed with: /|rndc
dnssec -checkds -key 54321 withdrawn dnssec.example.|
<https://bind9.readthedocs.io/en/latest/manpages.html#cmdoption-rndc-arg-dnssec>/.
where 12345 and 54321 are the key tags of the successor and
predecessor key, respectively./
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
