Re: KSK signing zone records
Just give it time. Named will choose the appropriate DNSKEY when it comes time to re-sign the RRset. -- Mark Andrews > On 3 Sep 2021, at 03:26, Timothy A. Holtzen wrote: > > Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs > were created and then the zone was signed (either automatically or via a > command) there was probably only a valid alg 8 ZSK available. As a > result bind used the alg 14 KSK as a defacto CSK and singed the zone > RRSets directly. This would make sense given the nature of the issue I > had with my key rotation process. However now I have both valid alg 8 > and alg 14 ZSK available. Is there a way to go back and get bind to > re-evaluate the zone to recognize the valid ZSK records and sign them only? > > Timothy A. Holtzen > Campus Network Administrator > Nebraska Wesleyan University > Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 > C30D > Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 > >> On 8/31/21 18:07, Mark Andrews wrote: >> Named will continually re-sign parts of the zone as the RRSIGs for a RRset >> fall due >> for replacement. Named looks at which keys are in the active state to >> determine along >> with the afore mentioned controls to work out which DNSKEYs will be used to >> re-sign the >> RRset. If in the past you only had one key type and you now have two, >> different keys >> may be used to re-sign the RRset. If you changed policy in named.conf, the >> new policy >> will be implemented as the RRSIGs are re-generated. >> >> It looks like you told named to re-sign the zone when there was only one >> type of DNSKEY >> key record (or you where unlucky enough for named to check the available >> keys whiles there >> was only one active key present) resulting in named overriding the policy in >> named.conf. >> >> Mark >> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users wrote: >>> >>> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I >>> have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and >>> two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA >>> ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records >>> correctly. It just seems to be the two newer ECDSA KSKs that instead of >>> signing the ZSKs are singing the domain records directly. >>> >>> Even more perplexing is that one of the domains seems to have fixed >>> itself. Now all the KSKs for that domain are singing the ZSKs and the >>> ZSKs are signing the domain records. But I've still got a couple of >>> other domains where it is doing it wrong. Is there some kind of timeout >>> or maintenance that gets run automatically that might have fixed the >>> issue? I've tried running an "rndc sign" command on the domains several >>> times. >>> >>> Timothy A. Holtzen >>> Campus Network Administrator >>> Nebraska Wesleyan University >>> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 >>> 24E6 C30D >>> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 >>> >>> On 8/30/21 17:40, raf via bind-users wrote: On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton wrote: > What algorithm(s) are you using for ZSK and KSK? If they’re not the > same algorithm, then both will be used to sign the entire zone. > > Regards, > Chris Buxton Just out of curiosity, why is that? Isn't having the KSK sign the ZSK enough? What difference does the nature of the thing being signed make? cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs were created and then the zone was signed (either automatically or via a command) there was probably only a valid alg 8 ZSK available. As a result bind used the alg 14 KSK as a defacto CSK and singed the zone RRSets directly. This would make sense given the nature of the issue I had with my key rotation process. However now I have both valid alg 8 and alg 14 ZSK available. Is there a way to go back and get bind to re-evaluate the zone to recognize the valid ZSK records and sign them only? Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 C30D Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 On 8/31/21 18:07, Mark Andrews wrote: > Named will continually re-sign parts of the zone as the RRSIGs for a RRset > fall due > for replacement. Named looks at which keys are in the active state to > determine along > with the afore mentioned controls to work out which DNSKEYs will be used to > re-sign the > RRset. If in the past you only had one key type and you now have two, > different keys > may be used to re-sign the RRset. If you changed policy in named.conf, the > new policy > will be implemented as the RRSIGs are re-generated. > > It looks like you told named to re-sign the zone when there was only one type > of DNSKEY > key record (or you where unlucky enough for named to check the available keys > whiles there > was only one active key present) resulting in named overriding the policy in > named.conf. > > Mark > >> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users >> wrote: >> >> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I >> have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and >> two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA >> ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records >> correctly. It just seems to be the two newer ECDSA KSKs that instead of >> signing the ZSKs are singing the domain records directly. >> >> Even more perplexing is that one of the domains seems to have fixed >> itself. Now all the KSKs for that domain are singing the ZSKs and the >> ZSKs are signing the domain records. But I've still got a couple of >> other domains where it is doing it wrong. Is there some kind of timeout >> or maintenance that gets run automatically that might have fixed the >> issue? I've tried running an "rndc sign" command on the domains several >> times. >> >> Timothy A. Holtzen >> Campus Network Administrator >> Nebraska Wesleyan University >> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 >> 24E6 C30D >> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 >> >> On 8/30/21 17:40, raf via bind-users wrote: >>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >>> wrote: >>> What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone. Regards, Chris Buxton >>> Just out of curiosity, why is that? >>> Isn't having the KSK sign the ZSK enough? >>> What difference does the nature of the thing >>> being signed make? >>> >>> cheers, >>> raf >>> >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
On Thu, Sep 02, 2021 at 11:15:32AM +1000, Mark Andrews wrote: > The primary reason that it is per algorithm is that validators and > signers are not required to support the same sets of algorithms and > if you want validation to work for everyone the zone has to be fully > signed for each algorithm that you state that it is signed for, i.e. > published in the DS RRset held in the parent zone. CDS and CDNSKEY > also publish this but are not used as part of the validation process. > > If publish that you are signed for ALG-A and ALG-B and the validator > only supports ALG-B, then if you don’t sign all the zone with ALG-B > there will be answers that can’t be validated. The same applies if > the validator only supports ALG-A and you don’t fully sign the zone > with ALG-A. > > Downgrade attacks are where you support both algorithms but someone > strips out the signatures from one of the algorithms because they > have succeeded in breaking the other algorithm. DNSSEC does not > require that validators detect this condition, though some validators > can be configured to force checks for every published algorithm that > you support. If a validator wants to protect itself from downgrade > attacks it needs to limit itself to only checking RRSIGs for algorithms > listed in the DS RRset and ensure that all algorithms listed there are > present in the response and that the signatures are good. > > Mark Thanks again! cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
The primary reason that it is per algorithm is that validators and signers are not required to support the same sets of algorithms and if you want validation to work for everyone the zone has to be fully signed for each algorithm that you state that it is signed for, i.e. published in the DS RRset held in the parent zone. CDS and CDNSKEY also publish this but are not used as part of the validation process. If publish that you are signed for ALG-A and ALG-B and the validator only supports ALG-B, then if you don’t sign all the zone with ALG-B there will be answers that can’t be validated. The same applies if the validator only supports ALG-A and you don’t fully sign the zone with ALG-A. Downgrade attacks are where you support both algorithms but someone strips out the signatures from one of the algorithms because they have succeeded in breaking the other algorithm. DNSSEC does not require that validators detect this condition, though some validators can be configured to force checks for every published algorithm that you support. If a validator wants to protect itself from downgrade attacks it needs to limit itself to only checking RRSIGs for algorithms listed in the DS RRset and ensure that all algorithms listed there are present in the response and that the signatures are good. Mark > On 2 Sep 2021, at 09:30, raf via bind-users wrote: > > On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch wrote: > >> raf via bind-users wrote: >>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >>> wrote: >>> What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone. >>> >>> Just out of curiosity, why is that? >>> Isn't having the KSK sign the ZSK enough? >> >> As well as what Mark said, the reason signing is per-algorithm is to do >> with downgrade protection: if there's a situation where validators support >> different algorithms (e.g. some have deprecated a bad algorithm but some >> have not yet deployed its replacement) then a signer can support all the >> validators by signing with both algorithms, without causing problems for >> the newer validators that want to distrust the old algorithm. A validator >> can decide whether a zone is secure or not based purely on the algorithms >> listed in its DS RRset. >> >> Tony. >> -- >> f.anthony.n.finchhttps://dotat.at/ >> Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good. > > Thanks. > > cheers, > raf > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch wrote: > raf via bind-users wrote: > > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > > wrote: > > > > > What algorithm(s) are you using for ZSK and KSK? If they’re not the > > > same algorithm, then both will be used to sign the entire zone. > > > > Just out of curiosity, why is that? > > Isn't having the KSK sign the ZSK enough? > > As well as what Mark said, the reason signing is per-algorithm is to do > with downgrade protection: if there's a situation where validators support > different algorithms (e.g. some have deprecated a bad algorithm but some > have not yet deployed its replacement) then a signer can support all the > validators by signing with both algorithms, without causing problems for > the newer validators that want to distrust the old algorithm. A validator > can decide whether a zone is secure or not based purely on the algorithms > listed in its DS RRset. > > Tony. > -- > f.anthony.n.finchhttps://dotat.at/ > Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good. Thanks. cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
raf via bind-users wrote: > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > wrote: > > > What algorithm(s) are you using for ZSK and KSK? If they’re not the > > same algorithm, then both will be used to sign the entire zone. > > Just out of curiosity, why is that? > Isn't having the KSK sign the ZSK enough? As well as what Mark said, the reason signing is per-algorithm is to do with downgrade protection: if there's a situation where validators support different algorithms (e.g. some have deprecated a bad algorithm but some have not yet deployed its replacement) then a signer can support all the validators by signing with both algorithms, without causing problems for the newer validators that want to distrust the old algorithm. A validator can decide whether a zone is secure or not based purely on the algorithms listed in its DS RRset. Tony. -- f.anthony.n.finchhttps://dotat.at/ Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
On Tue, Aug 31, 2021 at 02:13:35PM +1000, Mark Andrews wrote: > The rules for what get signed by what are per algorithm. Additionally the > SEP bit is hint to the signer as to what is desired. Named has controls to > say whether to pay attention to the SEP bit or not. Additionally it will > override those controls to pay attention to the SEP but if it believes that > the zone won’t be correctly signed if it paid attention to the SEP bit. > > People have created zones where one algorithm has keys with and without the > SEP > bit for one algorithm but for a second algorithm there are only keys with > (without) > the SEP bit. If the signer has been told to honour the SEP bit then for the > first > algorithm it will be honoured and for the second algorithm the instruction > will > be overridden. > > See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of > dnssec-policy. Thanks. cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
Named will continually re-sign parts of the zone as the RRSIGs for a RRset fall due for replacement. Named looks at which keys are in the active state to determine along with the afore mentioned controls to work out which DNSKEYs will be used to re-sign the RRset. If in the past you only had one key type and you now have two, different keys may be used to re-sign the RRset. If you changed policy in named.conf, the new policy will be implemented as the RRSIGs are re-generated. It looks like you told named to re-sign the zone when there was only one type of DNSKEY key record (or you where unlucky enough for named to check the available keys whiles there was only one active key present) resulting in named overriding the policy in named.conf. Mark > On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users > wrote: > > I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I > have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and > two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA > ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records > correctly. It just seems to be the two newer ECDSA KSKs that instead of > signing the ZSKs are singing the domain records directly. > > Even more perplexing is that one of the domains seems to have fixed > itself. Now all the KSKs for that domain are singing the ZSKs and the > ZSKs are signing the domain records. But I've still got a couple of > other domains where it is doing it wrong. Is there some kind of timeout > or maintenance that gets run automatically that might have fixed the > issue? I've tried running an "rndc sign" command on the domains several > times. > > Timothy A. Holtzen > Campus Network Administrator > Nebraska Wesleyan University > Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 > C30D > Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 > > On 8/30/21 17:40, raf via bind-users wrote: >> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >> wrote: >> >>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>> same algorithm, then both will be used to sign the entire zone. >>> >>> Regards, >>> Chris Buxton >> Just out of curiosity, why is that? >> Isn't having the KSK sign the ZSK enough? >> What difference does the nature of the thing >> being signed make? >> >> cheers, >> raf >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records correctly. It just seems to be the two newer ECDSA KSKs that instead of signing the ZSKs are singing the domain records directly. Even more perplexing is that one of the domains seems to have fixed itself. Now all the KSKs for that domain are singing the ZSKs and the ZSKs are signing the domain records. But I've still got a couple of other domains where it is doing it wrong. Is there some kind of timeout or maintenance that gets run automatically that might have fixed the issue? I've tried running an "rndc sign" command on the domains several times. Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 C30D Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 On 8/30/21 17:40, raf via bind-users wrote: > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > wrote: > >> What algorithm(s) are you using for ZSK and KSK? If they’re not the >> same algorithm, then both will be used to sign the entire zone. >> >> Regards, >> Chris Buxton > Just out of curiosity, why is that? > Isn't having the KSK sign the ZSK enough? > What difference does the nature of the thing > being signed make? > > cheers, > raf > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
The rules for what get signed by what are per algorithm. Additionally the SEP bit is hint to the signer as to what is desired. Named has controls to say whether to pay attention to the SEP bit or not. Additionally it will override those controls to pay attention to the SEP but if it believes that the zone won’t be correctly signed if it paid attention to the SEP bit. People have created zones where one algorithm has keys with and without the SEP bit for one algorithm but for a second algorithm there are only keys with (without) the SEP bit. If the signer has been told to honour the SEP bit then for the first algorithm it will be honoured and for the second algorithm the instruction will be overridden. See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of dnssec-policy. > On 31 Aug 2021, at 13:54, Chris Buxton wrote: > > I honestly don’t remember the reasoning, only the outcome. Maybe Mark or > someone else from ISC can shed some light? I couldn’t find the answer to this > regular (but infrequent) question in the ISC KB. > > Regards, > Chris Buxton > >> On Aug 30, 2021, at 3:40 PM, raf via bind-users >> wrote: >> >> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >> wrote: >> >>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>> same algorithm, then both will be used to sign the entire zone. >>> >>> Regards, >>> Chris Buxton >> >> Just out of curiosity, why is that? >> Isn't having the KSK sign the ZSK enough? >> What difference does the nature of the thing >> being signed make? >> >> cheers, >> raf >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
I honestly don’t remember the reasoning, only the outcome. Maybe Mark or someone else from ISC can shed some light? I couldn’t find the answer to this regular (but infrequent) question in the ISC KB. Regards, Chris Buxton > On Aug 30, 2021, at 3:40 PM, raf via bind-users > wrote: > > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > wrote: > >> What algorithm(s) are you using for ZSK and KSK? If they’re not the >> same algorithm, then both will be used to sign the entire zone. >> >> Regards, >> Chris Buxton > > Just out of curiosity, why is that? > Isn't having the KSK sign the ZSK enough? > What difference does the nature of the thing > being signed make? > > cheers, > raf > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton wrote: > What algorithm(s) are you using for ZSK and KSK? If they’re not the > same algorithm, then both will be used to sign the entire zone. > > Regards, > Chris Buxton Just out of curiosity, why is that? Isn't having the KSK sign the ZSK enough? What difference does the nature of the thing being signed make? cheers, raf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing zone records
What algorithm(s) are you using for ZSK and KSK? If they’re not the same algorithm, then both will be used to sign the entire zone. Regards, Chris Buxton > On Aug 30, 2021, at 9:08 AM, Timothy A. Holtzen via bind-users > wrote: > > Signed PGP part > I've had an issue with my key rotation process on a couple of zones. I > believe I've resolved that issue but it appears to me in several cases > the KSKs rather than being used to sign the ZSK are being used to sign > the zone records directly. > > https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk= > > I've checked the Publication/Activation dates on the KSKs and they seem > to be right. The appropriate DS records should be available at the > parent zone. The keys in question are clearly type 257 KSKs. Is there > some kind of flag or something I need to add to the key to make it sign > the ZSKs rather than the records directly? > > I'm running bind 9.16.16. > > > -- > > Timothy A. Holtzen > Campus Network Administrator > Nebraska Wesleyan University > Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 > C30D > Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 > > > signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
KSK signing zone records
I've had an issue with my key rotation process on a couple of zones. I believe I've resolved that issue but it appears to me in several cases the KSKs rather than being used to sign the ZSK are being used to sign the zone records directly. https://dnsviz.net/d/testmenwu.com/dnssec/?rr=2&a=all&ds=all&ta=.&tk= I've checked the Publication/Activation dates on the KSKs and they seem to be right. The appropriate DS records should be available at the parent zone. The keys in question are clearly type 257 KSKs. Is there some kind of flag or something I need to add to the key to make it sign the ZSKs rather than the records directly? I'm running bind 9.16.16. -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 C30D Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 OpenPGP_signature Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users