AW: migration from auto-dnssec to dnssec-policy deletes keys immediately
Hi all! I also know a colleague which was hit by the same issue, causing problems to their zone. Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For example that problem with different algos should be mentioned in https://kb.isc.org/docs/dnssec-key-and-signing-policy Further, I suggest to add something like the following sentence to that article: Changing DNSSEC configuration can lead to unexpected zone changes and should be tested on dedicated test systems before. If you do this on a hidden master, you could also temporarily disable outgoing XFR by configuring 'allow-transfer {"none";};' on that zone to prevent leakage of broken DNSSEC zones. This way you can check the zone after migration and only after successful testing (i.e. using https://dnsviz.net/d/ops.nic.at/analyze/ with advanced options, pointing directly to the hidden master) re-enable outgoing XFR. Regards Klaus Von: bind-users Im Auftrag von Nick Tait via bind-users Gesendet: Donnerstag, 28. Dezember 2023 04:01 An: bind-users@lists.isc.org Betreff: Re: migration from auto-dnssec to dnssec-policy deletes keys immediately On 28 Dec 2023, at 1:05 PM, Adrian Zaugg mailto:lists.isc@mailgurgler.com>> wrote: 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for policy mypolicy 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for policy mypolicy Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy. My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
On 12/28/23 12:58, Adrian Zaugg wrote: Hi Nick Not changing the key algo does help indeed when introducing dnssec-policy, see the log below. Thank you very much for pointing this out. But I do not understand why BIND deletes valid and published keys, just because there should be another algo used. Couldn't this be done in a smooth key rollover process aswell? Maybe someone with more insights than I have, could explain this behaviour. Thanks! I suspect because it did not have the right key states set. In order to do this all automatically we need to maintain state. Prior to dnssec-policy there is no such state. When migrating to dnssec-policy we try to derive the key states from the key timing metadata in the key files. You should check if the migration is complete and all key states are in omnipresent. You can do so with 'rndc dnssec -status '. From that point on it should be safe to make policy configuration changes, such as algorithm rolls, and old keys are phased out smoothly. I am thinking of adding an additional safety mechanism during migration, because you are not the first one to do this. Best regards, Matthijs Best regards, Adrian. Log of successful change from auto-dnssec to dnssec-policy (using the same algo): 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...] 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,[...]) 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) created for policy mypolicy_ecdsa 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+61287.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+38348.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key repository. 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation to match the DNSKEY TTL (86400). 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now published 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now active 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 12:53:01.176 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 2021010692) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
Hi Nick Not changing the key algo does help indeed when introducing dnssec-policy, see the log below. Thank you very much for pointing this out. But I do not understand why BIND deletes valid and published keys, just because there should be another algo used. Couldn't this be done in a smooth key rollover process aswell? Maybe someone with more insights than I have, could explain this behaviour. Thanks! Best regards, Adrian. Log of successful change from auto-dnssec to dnssec-policy (using the same algo): 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...] 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,[...]) 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) created for policy mypolicy_ecdsa 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+61287.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+38348.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key repository. 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation to match the DNSKEY TTL (86400). 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now published 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now active 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 12:53:01.176 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 2021010692) signature.asc Description: This is a digitally signed message part. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
> On 28 Dec 2023, at 1:05 PM, Adrian Zaugg > wrote: > > 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 > (KSK) > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 > (ZSK) > 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for > policy mypolicy > 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for > policy mypolicy Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy. My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
migration from auto-dnssec to dnssec-policy deletes keys immediately
Dear List Trying to migrate a zone from auto-dnssec zone "myzone.ch" { key-directory "/var/lib/bind/keys"; auto-dnssec maintain; inline-signing yes; type master; [...] to dnssec-policy zone "myzone.ch" { key-directory "/var/lib/bind/keys"; dnssec-policy "mypolicy"; inline-signing yes; parental-agents { "quad9"; }; type master; [...] my BIND version 9.18.19 deletes the published and valid keys immediately with newly created ones. As I understand, BIND should make a smooth keyrollover keeping the old keys around for a while and wait until the new keys have a delegation signer record in the parent zone before the old ones get withdrawn and deleted. What am I doing wrong? Thank you for your help. Best regards, Adrian. Relevant log entries: 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for policy mypolicy 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for policy mypolicy 2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+14076.private have changed from 0640 to 0600 as a result of this operation. 2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+03654.private have changed from 0640 to 0600 as a r esult of this opera 2023-12-27 23:51:24: Removing expired key myzone.ch/14076/ECDSAP256SHA256 from DNSKEY RRset. 2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) is now deleted 2023-12-27 23:51:24: Removing expired key myzone.ch/3654/ECDSAP256SHA256 from DNSKEY RRset. 2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) is now deleted 2023-12-27 23:51:24: Fetching myzone.ch/ED25519/2336 (KSK) from key repository. 2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now published 2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now active 2023-12-27 23:51:24: Fetching myzone.ch/ED25519/35413 (ZSK) from key repository. 2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now published 2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now active 2023-12-27 23:51:24: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,68[...]) 2023-12-27 23:51:24: zone myzone.ch/IN (signed): next key event: 27-Dec-2023 23:56:24.191 My policy looks like: dnssec-policy "mypolicy" { dnskey-ttl 3600; keys { ksk lifetime P5Y algorithm ED25519; zsk lifetime 60d algorithm ED25519; }; nsec3param iterations 32 optout no salt-length 16; publish-safety 1h; retire-safety 7d; }; ...and the parental-agents are Quad9: parental-agents "quad9" { 9.9.9.9; 149.112.112.112; 2620:fe::fe; 2620:fe::9; }; the old key has the following times set after the configuration change: $ dnssec-settime -p all /etc/bind/keys/myzone.ch.+013+14076.key Created: Wed Jul 10 10:49:51 2019 Publish: Wed Jul 10 10:49:51 2019 Activate: Wed Jul 10 10:49:51 2019 Revoke: UNSET Inactive: Wed Dec 27 23:51:24 2023 Delete: Fri Jan 5 00:51:24 2024 SYNC Publish: UNSET SYNC Delete: UNSET DS Publish: UNSET DS Delete: UNSET signature.asc Description: This is a digitally signed message part. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users