Saw the light of day and decided to change my DNSSEC signing script to create DNS Keys with RSASHA256 rather than RSASHA1. It seems one can not mix these two in the same zone????
I've created a short script to demonstrate the issue.
I've Attached "RunTest" that simulates what I am doing.
It uses the zone "foo.com" - I've attached "db.foo.com.base" as a simple
zone.
I've attached the "output"
Bast to do this in a completely empty directory!
Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
the results.
Add a new KSK using RSASHA256 - prep the zone and sign again.
1 - Signer is confused???? - can not sign (or generate a new Signed
Zone)...
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms:
RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test failed.
2 - The file "dsset-foo.com." has too many DS records. Why is
dnssec-signzone adding the DS records for a ZSK into dsset?
If everything is either RSASHA1 or RSASHA256 - everything is OK.
Bug? Simply how it should be by design? This really disturbs me - these
Keys take ages in the real world to migrate using reasonable timings -
do I have to Zap all my Keys - redo all zones. Is this always the case
when an Algorithm changes?
Versions: BIND 9.7.3-P3, dnssec-keygen: 9.7.3, dnssec-signzone: 9.7.3-P3
--
Mark Elkins <m...@posix.co.za>
Posix Systems
RunTest
Description: application/shellscript
$TTL 3600
@ IN SOA control.vweb.co.za. dns-admin.posix.co.za. (
2011101501 ; Serial number
3600 ; Refresh, 86400=1 day, 3600=1 hr
1800 ; Retry after 30 mins
604800 ; Expire after 7 days
1800 ) ; Negative TTL, 21600=6 hrs, 1800=30
mins
IN NS secdns1.posix.co.za.
IN NS control.vweb.co.za.
IN A 160.124.208.1
Generating key pair....++++++ ....................++++++
Kfoo.com.+005+03488
Generating key pair.........................................++++++
................++++++
Kfoo.com.+005+56205
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.foo.com.signed
total 40
-rw-r--r-- 1 root root 426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root 426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root 818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1187 Oct 15 11:56 db.foo.com
-rw-r--r-- 1 root root 335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root 159 Oct 15 11:56 dsset-foo.com.
-rw-r--r-- 1 root root 406 Oct 15 11:56 output
Generating key pair..............++++++ ...++++++
Kfoo.com.+008+13851
Verifying the zone using the following algorithms: RSASHA1.
Missing self signing KSK for algorithm RSASHA256
The zone is not fully signed for the following algorithms: RSASHA256.
dnssec-signzone: fatal: DNSSEC completeness test failed.
total 48
-rw-r--r-- 1 root root 426 Oct 15 11:56 Kfoo.com.+005+03488.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+03488.private
-rw-r--r-- 1 root root 426 Oct 15 11:56 Kfoo.com.+005+56205.key
-rw------- 1 root root 1014 Oct 15 11:56 Kfoo.com.+005+56205.private
-rw-r--r-- 1 root root 423 Oct 15 11:57 Kfoo.com.+008+13851.key
-rw------- 1 root root 1012 Oct 15 11:57 Kfoo.com.+008+13851.private
-rw-r--r-- 1 root root 818 Oct 15 11:53 RunTest
-rw-r--r-- 1 root root 1610 Oct 15 11:57 db.foo.com
-rw-r--r-- 1 root root 335 Oct 15 11:48 db.foo.com.base
-rw-r--r-- 1 root root 2672 Oct 15 11:56 db.foo.com.signed
-rw-r--r-- 1 root root 318 Oct 15 11:57 dsset-foo.com.
-rw-r--r-- 1 root root 1311 Oct 15 11:57 output
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
