Re: opendnssec -> inline-signing
[ off list ] > I couldn't help noticing that when you ran dnssec-dsfromkey you > referenced this directory: /usr/home/dns/Fixed nah. i have multiple copies so i can `rsync` them to refresh. i am getting closer. as mark pointed in the direction, i found that the keys produced by the extraction from openhsm were old style. but i am still muddling upgrading them. e.g. rip.psg.com:/usr/home/dns/dkeys# dnssec-settime -f -P 20240301 -A 20240301 -I 20340301 -D 20340310 Krg.net+008+12391.key ./Krg.net.+008+12391.key ./Krg.net.+008+12391.private rip.psg.com:/usr/home/dns/dkeys# cat Krg.net+008+12391.key rg.net. 3600IN DNSKEY 257 3 8 AwEAAcP46+ZNd9PbePWnmTI+yQDW4VmDFUE+eWycXz+Gu7YzQuwXyEvwHEWvZXuIRezbLU81J+R0x7c8eTGAlnJjvutz1dSQd31lG46pc15FYeMoR0ec0ukZmQKNjIZCqnxRczLF5a2LW/qnOlREDFtHY6SwQrP0QHxy2HO+vLNExsEvCGlAQznvaGomj/NS/gOIAgmw3PF5vJIKKsDb5bdMJH3xY9aDDQ+4fqlaarYAiDzTYDMN+NxSo9FkjYu/3DlQqfJoBGH8TQRdWmAZr9mKSOcHDlQGhvYbHeHboUunq0twiWG8MWDdQUwtrO5jbi9ac0wEdEQiolg6U0QR0RUVFcE= i.e. the key was not upgraded. but, it turns out it created a new one with a dot in the name that is an upgraded version rip.psg.com:/usr/home/dns/dkeys# cat Krg.net.+008+12391.key ; This is a key-signing key, keyid 12391, for rg.net. ; Created: 20240308032432 (Fri Mar 8 03:24:32 2024) ; Publish: 2024030100 (Fri Mar 1 00:00:00 2024) ; Activate: 2024030100 (Fri Mar 1 00:00:00 2024) ; Inactive: 2034030100 (Wed Mar 1 00:00:00 2034) ; Delete: 2034031000 (Fri Mar 10 00:00:00 2034) rg.net. 3600 IN DNSKEY 257 3 8 AwEAAcP46+ZNd9PbePWnmTI+yQDW4VmDFUE+eWycXz+Gu7YzQuwXyEvw HEWvZXuIRezbLU81J+R0x7c8eTGAlnJjvutz1dSQd31lG46pc15FYeMo R0ec0ukZmQKNjIZCqnxRczLF5a2LW/qnOlREDFtHY6SwQrP0QHxy2HO+ vLNExsEvCGlAQznvaGomj/NS/gOIAgmw3PF5vJIKKsDb5bdMJH3xY9aD DQ+4fqlaarYAiDzTYDMN+NxSo9FkjYu/3DlQqfJoBGH8TQRdWmAZr9mK SOcHDlQGhvYbHeHboUunq0twiWG8MWDdQUwtrO5jbi9ac0wEdEQiolg6 U0QR0RUVFcE= randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: opendnssec -> inline-signing
On 08/03/2024 12:54, Randy Bush wrote: but WHY NOT? same key sets with opendnssec and inline-signing, we think. The most obvious possibility is that this is referring to a different directory to where you put the keys that you wanted to use: |key-directory "/usr/home/dns/dkeys"| I couldn't help noticing that when you ran dnssec-dsfromkey you referenced this directory: /usr/home/dns/Fixed Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: opendnssec -> inline-signing
Please read https://kb.isc.org/docs/dnssec-key-and-signing-policy especially the steps to do when migrating to using dnssec-policy with an existing signed zone. Start with "lifetime unlimited”. Tell named which keys have DS already published using rndc. You can also use dnssec-settime to do this. Once your existing keys are omnipresent you can update the lifetime to what you want to run with. On 8 Mar 2024, at 10:57, Mark Andrews wrote: > > > >> On 8 Mar 2024, at 10:54, Randy Bush wrote: >> >>> You DS and DNSKEY rrset are not matched. You >>> need to publish the DS for the DNSKEY with key >>> tag 3463. >>> >>> rg.net. 86256 IN DS 12391 8 2 >>> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9 >>> >>> rg.net. 3463 IN DNSKEY 256 3 8 ( >>> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV >>> OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd >>> tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB >>> KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2 >>> y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid >>> bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0 >>> ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad >>> kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8= >>> ) ; ZSK; alg = RSASHA256 ; key id = 43431 >>> rg.net. 3463 IN DNSKEY 257 3 8 ( >>> AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa >>> 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU >>> dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p >>> g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko >>> 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05 >>> 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag >>> 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b >>> s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs= >>> ) ; KSK; alg = RSASHA256 ; key id = 30790 >>> rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 ( >>> 20240321203948 20240307193948 30790 rg.net. >>> OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l >>> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 >>> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl >>> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD >>> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts >>> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd >>> liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ >>> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) >>> https://git.rg.net/randy/randy/src/master/scratch.md >> >> yes, we can see that, as we noted. and yes we could rekey 42 zones at >> the parents; great fun. >> >> but WHY NOT? same key sets with opendnssec and inline-signing, we >> think. >> >> randy > > I can’t get to https://git.rg.net/randy/randy/src/master/scratch.md > without installing a negative trust anchor or you fixing/removing the DS. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: opendnssec -> inline-signing
> On 8 Mar 2024, at 10:54, Randy Bush wrote: > >> You DS and DNSKEY rrset are not matched. You >> need to publish the DS for the DNSKEY with key >> tag 3463. >> >> rg.net. 86256 IN DS 12391 8 2 >> 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9 >> >> rg.net. 3463 IN DNSKEY 256 3 8 ( >> AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV >> OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd >> tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB >> KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2 >> y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid >> bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0 >> ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad >> kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8= >> ) ; ZSK; alg = RSASHA256 ; key id = 43431 >> rg.net. 3463 IN DNSKEY 257 3 8 ( >> AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa >> 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU >> dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p >> g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko >> 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05 >> 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag >> 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b >> s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs= >> ) ; KSK; alg = RSASHA256 ; key id = 30790 >> rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 ( >> 20240321203948 20240307193948 30790 rg.net. >> OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l >> 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 >> OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl >> LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD >> ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts >> kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd >> liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ >> B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) >> >>> https://git.rg.net/randy/randy/src/master/scratch.md > > yes, we can see that, as we noted. and yes we could rekey 42 zones at > the parents; great fun. > > but WHY NOT? same key sets with opendnssec and inline-signing, we > think. > > randy I can’t get to https://git.rg.net/randy/randy/src/master/scratch.md without installing a negative trust anchor or you fixing/removing the DS. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: opendnssec -> inline-signing
> You DS and DNSKEY rrset are not matched. You > need to publish the DS for the DNSKEY with key > tag 3463. > > rg.net. 86256 IN DS 12391 8 2 > 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9 > > rg.net. 3463 IN DNSKEY 256 3 8 ( > AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV > OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd > tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB > KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2 > y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid > bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0 > ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad > kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8= > ) ; ZSK; alg = RSASHA256 ; key id = 43431 > rg.net. 3463 IN DNSKEY 257 3 8 ( > AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa > 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU > dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p > g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko > 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05 > 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag > 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b > s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs= > ) ; KSK; alg = RSASHA256 ; key id = 30790 > rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 ( > 20240321203948 20240307193948 30790 rg.net. > OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l > 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 > OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl > LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD > ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts > kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd > liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ > B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) > >> https://git.rg.net/randy/randy/src/master/scratch.md yes, we can see that, as we noted. and yes we could rekey 42 zones at the parents; great fun. but WHY NOT? same key sets with opendnssec and inline-signing, we think. randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: opendnssec -> inline-signing
You DS and DNSKEY rrset are not matched. You need to publish the DS for the DNSKEY with key tag 3463. rg.net. 86256 IN DS 12391 8 2 0FB5F11E4FE4045D519A55915BD71D6DCFB1FA045B01BE891640C8EA 1C0792C9 rg.net. 3463 IN DNSKEY 256 3 8 ( AwEAAa4acpL+7ohA/vCtwkn4nWtiPxfnWlIpsvaJ8TdV OXZMetCE1l/iSlBHJT/QQQzC4UJxqendMOhM+8i2jMkd tkRqgZUGrEZNbAwVWbsLkP6zpbEvRNrPDW6CnGcIedXB KWqEYtYRb+iC2YhQxwHpd1mQygWwVbJglrujaj1zHcm2 y8jR9h/Y4a2dfImBMHt8kI1xl6phgncWv/GzpzgRUpid bdx35BGvK09Qa0AxZs35/hTaxgJZq0JW7tOH4jPip/B0 ZSYPXRjfqOorbn+HcIjTEtTRnLuo+RBa1MX25HYrH9Ad kErOCyWn71sx65L7rySB3iByz67VmA3kW0Qypp8= ) ; ZSK; alg = RSASHA256 ; key id = 43431 rg.net. 3463 IN DNSKEY 257 3 8 ( AwEAAeW0TsiLDw6VI9rcKCLnKFFVUAznLJEKR2OUExVa 4n8v5f2lysPYdz/JMl7mqZorSM9ncYRpUmaTzxt5n5XU dh5qTJcmDZvJRXdDBfBezcXM2Cs+bTxlK/KW/i3CCC0p g2a6VM4clWFSxw8ZlU2oNslsrw0XbxqIh96WP0jJsAko 26ACyYdsscZglGUgmyHFxPM2UmKAsk/ABgL8WTrYCg05 6FDmKT/hTWpZckJu5CekJEq5y+qNGCdqa+j4xY56f0ag 8cODW89yRPlMrw6Fr8nCLef1B6gRYN9MFU8RUY0hMy3b s62aB8A25ZRwYTH+3x/W4mNs0DLctSBZaEZnJGs= ) ; KSK; alg = RSASHA256 ; key id = 30790 rg.net. 3463 IN RRSIG DNSKEY 8 2 3600 ( 20240321203948 20240307193948 30790 rg.net. OYKcahhMUXRDMicqgFAQBGN6I6qNVwiEnWeMtWhn5t8l 8x8lSs29rJA9GTjfJurA8wt1IrxZftB9bO/11QL3zcd4 OyCWx6sgJUxsqgrV9HbLVYFIA7ZNLfrTHd3ZELv+WjFl LwpXwF8PLvguozEsggbO4+8yEnBMBB2H4yEovoZSJgmD ufApZJ2xwy/EaWUlOfSTUZiFpgKgUaSEkGJb96EbAKts kMKIpm4SWlrVobSCrbv/KF6/a8+8Wtj0tY7mgjPbREDd liaN92BRsQO0ykBep+HxH85CXPhqBMnl2Z43guX2t+QZ B36h61FrpFOt7RUnvJ8Pn3Rz+kx1VVOIsw== ) > On 8 Mar 2024, at 10:35, Randy Bush wrote: > > FreeBSD 13.2-RELEASE-p10 amd64 > bind 9.16.48 > softhsm-1.3.8 (yes, i know) > opendnssec 2.1.13 > moon in klutz > > been running opendnssec, and trying to move to bind inline-signing > > in the hope of making it more readable, the sad story is at > https://git.rg.net/randy/randy/src/master/scratch.md > > thanks for any clues > > randy > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
opendnssec -> inline-signing
FreeBSD 13.2-RELEASE-p10 amd64 bind 9.16.48 softhsm-1.3.8 (yes, i know) opendnssec 2.1.13 moon in klutz been running opendnssec, and trying to move to bind inline-signing in the hope of making it more readable, the sad story is at https://git.rg.net/randy/randy/src/master/scratch.md thanks for any clues randy -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users