Hi,
On 6/2/23 13:53, Sebastian Wiesinger wrote:
Hi,
I recently moved from auto-dnssec to dnssec-policy and after the
switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
When I changed the dnssec-policy from rsa to ecdsa-csk the old keys
immediately got removed which lead to a bogus DNSSEC for the zone. I
was expecting a rollover procedure.
Did you wait until the migration was complete? Everything needs to be
omnipresent after the migration before you can making DNSSEC policy
changes safely.
I noticed:
> - ds: hidden
This means that from BIND's perspective the DS has not been published.
Most likely because the other keys were not fully omnipresent yet.
If the DS is not published yet, or at least the migration has not
reached this state yet, you can do anything with the DNSSEC records,
because of the absence of a secure delegation
Best regards,
Matthijs
BIND version is 9.18.12 (Debian Backports).
My question is, did I do something wrong? What would have been the
right way to do it? I noticed that the DS state is "hidden" before and
after the switch of the dnssec-policy but I found no way to change
that.
Here is config and logs of the change:
Old and new policy are:
dnssec-policy "rsa" {
keys {
ksk key-directory lifetime unlimited algorithm rsasha256 2048;
zsk key-directory lifetime P60D algorithm rsasha256 1024;
};
};
dnssec-policy "ecdsa-csk" {
keys {
csk key-directory lifetime unlimited algorithm 13;
};
};
Zone definition is:
zone "sub.my.zone" {
type master;
file "/etc/bind/dynamic-zones/sub.my.zone/sub.my.zone";
allow-transfer { localhost; ns2; };
key-directory "/etc/bind/dynamic-zones/sub.my.zone";
dnssec-policy "ecdsa-csk";
parental-agents { 127.12.12.13; };
allow-update { key sub.my.zone_api.; };
};
Jun 02 13:26:19 alita named[1001022]: general: notice: zone
sub.my.zone/IN/default: checkds: set 1 parentals
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone
sub.my.zone/IN/default: reconfiguring zone keys
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY
sub.my.zone/RSASHA256/54096 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY
sub.my.zone/RSASHA256/56781 (ZSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY
sub.my.zone/RSASHA256/13786 (KSK)
Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: DNSKEY
sub.my.zone/ECDSAP256SHA256/36745 (CSK) created for policy ecdsa-csk
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY
sub.my.zone/RSASHA256/56781 (ZSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY
sub.my.zone/RSASHA256/13786 (KSK) is now deleted
Jun 02 13:26:19 alita named[1001022]: dnssec: info: Fetching
sub.my.zone/ECDSAP256SHA256/36745 (CSK) from key repository.
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY
sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now published
Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY
sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now active
Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone
sub.my.zone/IN/default: next key event: 02-Jun-2023 13:31:19.338
Jun 02 13:26:19 alita named[1001022]: notify: info: zone
sub.my.zone/IN/default: sending notifies (serial 2014014053)
DNSSEC status before:
dnssec-policy: rsa
current time: Fri Jun 2 13:23:54 2023
key: 54096 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- zone rrsig: unretentive
key: 56781 (RSASHA256), ZSK
published: yes - since Fri Jun 2 11:15:23 2023
zone signing: yes - since Fri Jun 2 12:20:23 2023
Next rollover scheduled on Tue Aug 1 10:15:23 2023
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: rumoured
key: 13786 (RSASHA256), KSK
published: yes - since Wed Jan 22 22:42:33 2014
key signing: yes - since Wed Jan 22 22:42:33 2014
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- key rrsig: omnipresent
DNSSEC status after:
dnssec-policy: ecdsa-csk
current time: Fri Jun 2 13:32:23 2023
key: 54096 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: unretentive
- key rrsig: hidden
key: 56781 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: unretentive
- ds: unretentive
- zone rrsig: unretentive
- key rrsig: unretentive
key: 36745 (ECDSAP256SHA256), CSK
published: yes - since Fri Jun 2 13:26:19 2023
key signing: yes - since Fri Jun 2 13:26:19 2023
zone signing: yes - since Fri Jun 2 13:26:19 2023
No rollover scheduled
- goal: omnipresent
- dnskey: rumoured
- ds: hidden
- zone rrsig: rumoured
- key rrsig: rumoured
key: 13786 (RSASHA256), KSK
published: no
key signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: unretentive
- key rrsig: hidden
Best Regards
Sebastian
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users