[Pdns-users] How to specify *default* ZSK/KSK auto-signing algorithms in auto-provisioned, pdns superslave?

Mon, 02 Jan 2017 20:03:07 -0800 

I'm running pdns 4.0.1-264-g50e4ab3

It's configured as an auto-provisioned superslave to a bind9 supermaster.

After NOTIFY of a new zone to pdns from the master, the zone's created & signed:

        pdnsutil show-zone example.com
                Jan 02 19:28:46 Reading random entropy from '/dev/urandom'
                This is a Slave zone
                Master: 10.1.1.53
                Last time we got update from master: Mon 2017-01-02 19:26:48
                SOA serial in database: 1482864727
                Refresh interval: 7200 seconds
                Zone has following allowed TSIG key(s): pdns-key
                Zone uses following TSIG key(s): pdns-key
                Metadata items:
                        ALLOW-AXFR-FROM 10.1.1.53
                        ALLOW-AXFR-FROM 10.2.2.53
                        ALLOW-DNSUPDATE-FROM    10.1.1.53
                        AXFR-MASTER-TSIG        pdns-key
                        AXFR-SOURCE     10.1.1.53
                        IXFR    1
                        SOA-EDIT-DNSUPDATE      EPOCH
                        TSIG-ALLOW-AXFR pdns-key
                        TSIG-ALLOW-DNSUPDATE    pdns-key
                Zone is presigned
                Zone has hashed NSEC3 semantics, configuration: 1 0 5 84d74180
                keys:
                KSK, tag = 39060, algo = 14, bits = 384
                DNSKEY = example.com. IN DNSKEY 257 3 14 sgA...ceE; ( 
ECDSAP384SHA384 )
                DS = example.com. IN DS 39060 14 1 acd...44f ; ( SHA1 digest )
                DS = example.com. IN DS 39060 14 2 e01...ec1 ; ( SHA256 digest )
                DS = example.com. IN DS 39060 14 4 e94...d79 ; ( SHA-384 digest 
)
                ZSK, tag = 1013, algo = 14, bits = 384
                DNSKEY = example.com. IN DNSKEY 256 3 14 RP6...sfx; ( 
ECDSAP384SHA384 )

Note that the KSK/ZSK are using algo = 14,

                KSK, tag = 39060, algo = 14, bits = 384
                ZSK, tag = 1013, algo = 14, bits = 384

which *is* clearly one of the supported algos,

        pdnsutil list-algorithms
                Jan 02 19:34:19 Reading random entropy from '/dev/urandom'
                DNSKEY algorithms supported by this installation of PowerDNS:
                5 - RSASHA1
                7 - RSASHA1-NSEC3-SHA1
                8 - RSASHA256
                10 - RSASHA512
                13 - ECDSAP256SHA256
                14 - ECDSAP384SHA384

but, according to

        https://doc.powerdns.com/md/authoritative/dnssec/#dnssec-defaults

is not supposed to be the default: "algorithm 13, ECDSAP256SHA256",

        DNSSEC Defaults

                Since version 4.0, when securing a zone using pdnsutil 
secure-zone, a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated 
that is used as ZSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one 
as the KSK and two ZSKs. As all keys are online in the database, it made no 
sense to have this split-key setup.

, at least when directly using

        pdnsutil secure-zone

In my pdns.conf I've config'd

        ...
        default-ksk-algorithms=ecdsa256
        default-ksk-size=0
        default-zsk-algorithms=ecdsa256
        default-zsk-size=0
        ...

which apparently isn't sufficient.

Where/how do I specify the KSK/ZSK algos to be used in this superslave config 
(not using `pdnsutil secure-zone` on the cmd line)? whether globally, or in 
per-domain metadata?

_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Reply via email to