Hi Libor,
Thanks for your suggestion. -- Actually, we are not using the scenario I
brought up; I had merely encountered it while playing around, and wanted to let
you know. Will continue if I see anything!
Best,
Peter
On 2/11/25 09:04, Libor Peltan via knot-dns-users wrote:
Hi Peter,
if you're trying to mix Knot-managed DNSKEYs with different DNSKEYs from zone
file, i'd recommend configuring incremental policy with this knob
https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#policy-dnskey-management
Anyway, I must admit we haven't really tried all the DNSSEC extra features with
online signing, so you might step on some random bugs (as you already did).
Please continue telling us when you observe something wrong!
Thanks,
Libor
On 10. 02. 25 23:57, Peter Thomassen via knot-dns-users wrote:
Nargh, I really need to get better at not sending messages early.
Let me try again.
Consider a zonefile with
@ DNSKEY 257 3 13
ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY
StUdbFu24Js6T5uROHo8lSG9rhgduw==
and configuration
zone:
- domain: example.com
storage: /config/
file: example.com.zone
module: mod-onlinesign
This leads to:
$ dig +noall +answer @localhost -p 5300 example.com DNSKEY +dnssec
example.com. 3600 IN DNSKEY 257 3 13
ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY
StUdbFu24Js6T5uROHo8lSG9rhgduw==
example.com. 3600 IN DNSKEY 257 3 13
zrNQ/wJ5nZk4ZIPXvbbDflMfk0WKtvhz1rnmVfunXJGPkD8gLGOHrF7A
eUJlzcBuQfdt0YoEKnjvmA+BRhR4NA==
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250224225442
20250210212442 8901 example.com.
94sHqW2hVKW4ca4QS7Wd+/fODyGFKawfi8xRAk4+Ee5eusPKRhY8vBZ2
d6b2vmTpFLFj6DzHmR2YSbJ8RClfjQ==
example.com. 3600 IN RRSIG DNSKEY 13 2 3600 20250224225442
20250210212442 8901 example.com.
VJM+yxwjAqPpY/n36e2f7o2zRYfgH3CgXBp8bm92c6vqOUX31yGAB+Rh
64JSnlEsECEDnAwfnLFItrLi2YNdfA==
So, there are two DNSKEYs (and that's correct; one is the explicit one from the
zonefile, the other is from the onlinesign module), and two signatures.
However, the signatures are both from the onlinesign module's DNSKEY.
Why is that / is that a problem / does this need fixing?
Last year, I also managed to trigger SERVFAIL by putting an RRSIG into an
onlinesign'ed zonefile, but it appears I can't reproduce this anymore. Not sure
what exactly I did back then.
Best,
Peter
On 2/10/25 23:53, Peter Thomassen via knot-dns-users wrote:
Hi,
Consider a zonefile with
@ DNSKEY 257 3 13
ZAtZvaK2/uVw+LG2AA12Dt/ZZ+YN0IF3pFwjfBp8Jd2DXjVU0cdxfpkY
StUdbFu24Js6T5uROHo8lSG9rhgduw==
and configuration
zone:
- domain: example.com
storage: /config/
file: example.com.zone
module: mod-onlinesign
--
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Möckernstraße 74
10965 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
--
