AW: migration from auto-dnssec to dnssec-policy deletes keys immediately
Hi all!
I also know a colleague which was hit by the same issue, causing problems to
their zone.
Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For
example that problem with different algos should be mentioned in
https://kb.isc.org/docs/dnssec-key-and-signing-policy
Further, I suggest to add something like the following sentence to that
article: Changing DNSSEC configuration can lead to unexpected zone changes and
should be tested on dedicated test systems before. If you do this on a hidden
master, you could also temporarily disable outgoing XFR by configuring
'allow-transfer {"none";};' on that zone to prevent leakage of broken DNSSEC
zones. This way you can check the zone after migration and only after
successful testing (i.e. using https://dnsviz.net/d/ops.nic.at/analyze/ with
advanced options, pointing directly to the hidden master) re-enable outgoing
XFR.
Regards
Klaus
Von: bind-users Im Auftrag von Nick Tait via
bind-users
Gesendet: Donnerstag, 28. Dezember 2023 04:01
An: bind-users@lists.isc.org
Betreff: Re: migration from auto-dnssec to dnssec-policy deletes keys
immediately
On 28 Dec 2023, at 1:05 PM, Adrian Zaugg
mailto:lists.isc@mailgurgler.com>> wrote:
2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076
(KSK)
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654
(ZSK)
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for
policy mypolicy
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for
policy mypolicy
Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what
was previously in effect (ECDSAP256SHA256), which is why Bind generated new
keys. If you want Bind to keep the old keys when transitioning to dnssec-policy
you should initially specify the same algorithm in your policy.
My understanding is that after you’ve transitioned to using dnssec-policy you
should be able to change the algorithm and Bind should do a graceful roll-over?
Just make sure everything is “omnipresent” in your state files (in the keys
directory) first.
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
On 12/28/23 12:58, Adrian Zaugg wrote: Hi Nick Not changing the key algo does help indeed when introducing dnssec-policy, see the log below. Thank you very much for pointing this out. But I do not understand why BIND deletes valid and published keys, just because there should be another algo used. Couldn't this be done in a smooth key rollover process aswell? Maybe someone with more insights than I have, could explain this behaviour. Thanks! I suspect because it did not have the right key states set. In order to do this all automatically we need to maintain state. Prior to dnssec-policy there is no such state. When migrating to dnssec-policy we try to derive the key states from the key timing metadata in the key files. You should check if the migration is complete and all key states are in omnipresent. You can do so with 'rndc dnssec -status '. From that point on it should be safe to make policy configuration changes, such as algorithm rolls, and old keys are phased out smoothly. I am thinking of adding an additional safety mechanism during migration, because you are not the first one to do this. Best regards, Matthijs Best regards, Adrian. Log of successful change from auto-dnssec to dnssec-policy (using the same algo): 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...] 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,[...]) 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) created for policy mypolicy_ecdsa 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+61287.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+38348.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key repository. 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation to match the DNSKEY TTL (86400). 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now published 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now active 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 12:53:01.176 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 2021010692) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
Hi Nick Not changing the key algo does help indeed when introducing dnssec-policy, see the log below. Thank you very much for pointing this out. But I do not understand why BIND deletes valid and published keys, just because there should be another algo used. Couldn't this be done in a smooth key rollover process aswell? Maybe someone with more insights than I have, could explain this behaviour. Thanks! Best regards, Adrian. Log of successful change from auto-dnssec to dnssec-policy (using the same algo): 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...] 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,[...]) 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) created for policy mypolicy_ecdsa 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+61287.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+38348.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key repository. 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation to match the DNSKEY TTL (86400). 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now published 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now active 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 12:53:01.176 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 2021010692) signature.asc Description: This is a digitally signed message part. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration from auto-dnssec to dnssec-policy deletes keys immediately
> On 28 Dec 2023, at 1:05 PM, Adrian Zaugg > wrote: > > 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 > (KSK) > 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 > (ZSK) > 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for > policy mypolicy > 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for > policy mypolicy Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy. My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
migration from auto-dnssec to dnssec-policy deletes keys immediately
Dear List
Trying to migrate a zone from auto-dnssec
zone "myzone.ch" {
key-directory "/var/lib/bind/keys";
auto-dnssec maintain;
inline-signing yes;
type master;
[...]
to dnssec-policy
zone "myzone.ch" {
key-directory "/var/lib/bind/keys";
dnssec-policy "mypolicy";
inline-signing yes;
parental-agents { "quad9"; };
type master;
[...]
my BIND version 9.18.19 deletes the published and valid keys immediately with
newly created ones.
As I understand, BIND should make a smooth keyrollover keeping the old keys
around for a while and wait until the new keys have a delegation signer record
in the parent zone before the old ones get withdrawn and deleted.
What am I doing wrong?
Thank you for your help.
Best regards, Adrian.
Relevant log entries:
2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076
(KSK)
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654
(ZSK)
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for
policy mypolicy
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for
policy mypolicy
2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+14076.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+03654.private have changed from 0640 to 0600 as a r
esult of this opera
2023-12-27 23:51:24: Removing expired key myzone.ch/14076/ECDSAP256SHA256 from
DNSKEY RRset.
2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) is now
deleted
2023-12-27 23:51:24: Removing expired key myzone.ch/3654/ECDSAP256SHA256 from
DNSKEY RRset.
2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) is now
deleted
2023-12-27 23:51:24: Fetching myzone.ch/ED25519/2336 (KSK) from key
repository.
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now published
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now active
2023-12-27 23:51:24: Fetching myzone.ch/ED25519/35413 (ZSK) from key
repository.
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now published
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now active
2023-12-27 23:51:24: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
32,68[...])
2023-12-27 23:51:24: zone myzone.ch/IN (signed): next key event: 27-Dec-2023
23:56:24.191
My policy looks like:
dnssec-policy "mypolicy" {
dnskey-ttl 3600;
keys {
ksk lifetime P5Y algorithm ED25519;
zsk lifetime 60d algorithm ED25519;
};
nsec3param iterations 32 optout no salt-length 16;
publish-safety 1h;
retire-safety 7d;
};
...and the parental-agents are Quad9:
parental-agents "quad9" {
9.9.9.9;
149.112.112.112;
2620:fe::fe;
2620:fe::9;
};
the old key has the following times set after the configuration change:
$ dnssec-settime -p all /etc/bind/keys/myzone.ch.+013+14076.key
Created: Wed Jul 10 10:49:51 2019
Publish: Wed Jul 10 10:49:51 2019
Activate: Wed Jul 10 10:49:51 2019
Revoke: UNSET
Inactive: Wed Dec 27 23:51:24 2023
Delete: Fri Jan 5 00:51:24 2024
SYNC Publish: UNSET
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET
signature.asc
Description: This is a digitally signed message part.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
