Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs were created and then the zone was signed (either automatically or via a command) there was probably only a valid alg 8 ZSK available. As a result bind used the alg 14 KSK as a defacto CSK and singed the zone RRSets directly. This would make sense given the nature of the issue I had with my key rotation process. However now I have both valid alg 8 and alg 14 ZSK available. Is there a way to go back and get bind to re-evaluate the zone to recognize the valid ZSK records and sign them only?
Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 C30D Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 On 8/31/21 18:07, Mark Andrews wrote: > Named will continually re-sign parts of the zone as the RRSIGs for a RRset > fall due > for replacement. Named looks at which keys are in the active state to > determine along > with the afore mentioned controls to work out which DNSKEYs will be used to > re-sign the > RRset. If in the past you only had one key type and you now have two, > different keys > may be used to re-sign the RRset. If you changed policy in named.conf, the > new policy > will be implemented as the RRSIGs are re-generated. > > It looks like you told named to re-sign the zone when there was only one type > of DNSKEY > key record (or you where unlucky enough for named to check the available keys > whiles there > was only one active key present) resulting in named overriding the policy in > named.conf. > > Mark > >> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users >> <[email protected]> wrote: >> >> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I >> have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and >> two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA >> ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records >> correctly. It just seems to be the two newer ECDSA KSKs that instead of >> signing the ZSKs are singing the domain records directly. >> >> Even more perplexing is that one of the domains seems to have fixed >> itself. Now all the KSKs for that domain are singing the ZSKs and the >> ZSKs are signing the domain records. But I've still got a couple of >> other domains where it is doing it wrong. Is there some kind of timeout >> or maintenance that gets run automatically that might have fixed the >> issue? I've tried running an "rndc sign" command on the domains several >> times. >> >> Timothy A. Holtzen >> Campus Network Administrator >> Nebraska Wesleyan University >> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 >> 24E6 C30D >> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 >> >> On 8/30/21 17:40, raf via bind-users wrote: >>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >>> <[email protected]> wrote: >>> >>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>>> same algorithm, then both will be used to sign the entire zone. >>>> >>>> Regards, >>>> Chris Buxton >>> Just out of curiosity, why is that? >>> Isn't having the KSK sign the ZSK enough? >>> What difference does the nature of the thing >>> being signed make? >>> >>> cheers, >>> raf >>> >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> [email protected] >>> https://lists.isc.org/mailman/listinfo/bind-users >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> [email protected] >> https://lists.isc.org/mailman/listinfo/bind-users
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
