Re: How to introduce automatic signing for existing signed zones?

Mon, 07 Nov 2022 05:11:20 -0800 

On 07-11-2022 14:04, Matthijs Mekking wrote:

Hi Niall,
You need to share the dnssec-policy for no8.be in order to investigate why it doesn't show the expected behavior, but I suspect that the policy did not match the properties for the existing DNSSEC keys completely. 

Ignore that, I saw too late there were attachments.
Are you able to share the public key and key state files with me so I can investigate why BIND thinks the existing keys cannot be used?
Also, the log file looks like an excerpt. A full debug (level 3) log would be useful too. 

Best regards,

Matthijs




Best regards,

Matthijs

On 07-11-2022 12:40, Niall O'Reilly wrote:

I have a couple of zones which I want to migrate from CLI-driven
signing to BIND9 automatic signing, while avoiding any change to
the respective parent-zone DS RR.

Status quo ante:

- https://dnsviz.net/d/no8.be/dnssec/
   separate KSK, ZSK; both using alg 13
- https://dnsviz.net/d/jamm.ie/dnssec/
   2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8

Preparation:

- Set up minimal stand-alone instance of BIND9 named,
   configured with a **dnssec-policy** for each algorithm,
   matching properties of existing DNSSEC keys, and with
   `lifetime unlimited`;
- Deliver current key files and recently-signed copy of
   zone files to this instance.

Expected behaviour on starting named:

- Zones are loaded;
- Spare ZSK for jamm.ie is retired;
- Other keys for each zone are accepted and retained;
- A CDS RR is generated for each zone, matching the current DS RR.

Observed behaviour:

- `named -v` shows `BIND 9.18.8 (Stable Release) <id:35f5d35>`;
- Zones are loaded;
- Spare ZSK for jamm.ie is retired;
- Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained;
- A CDS RR is published for jamm.ie, matching the current DS RR;
- ECDSAP256SHA256 keys (for no8.be) are not accepted;
- New ECDSAP256SHA256 keys are created for no8.be;
- No CDS RR is generated for no8.be.

Unless I'm missing something, there seems to be a discrepancy
according to key type between the handling of RSA/SHA-256 and
ECDSAP256SHA256 keys respectively.

/Niall



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to