When your ZSK is safe to be retired depends on the state of the DS, so
without knowing the state of the KSK it is hard to say whether this
immediate removal of the old ZSK is legit or not.
Best regards,
Matthijs
On 10/20/23 01:46, Eddie Rowe wrote:
Thank you for your kind reply - BIND is too smart for me! I can confirm
that when you use a CSK key that letting BIND know that the key has been
published ("rndc dnssec -keyid value -checkds published zone") resolves
the issue with a CSK rollover which I tried since I had issues with ZSKs
doing the same thing.
The same solution does not seem to impact a ZSK rollover which baffles
me. Are there any other considerations for when BIND might rollover a
ZSK sooner than I expected?
I waited until ZSK was omnipresent and as soon as I run the rollover
command the old key disappears (3 hour TTL) and my test zone is
immediately resigned with the new ZSK. Rollover was about 30 minutes
ago and current time is 18:40 on Oct 19...info shows that the original
ZSK should be still active but it is not.
*Original ZSK Key*
# cat *43876*.state
; This is the state of key 43876, for myexample2.com.
Algorithm: 13
Length: 256
Lifetime: 17702
Successor: 5264
KSK: no
ZSK: yes
Generated: 20231019202240 (Thu Oct 19 15:22:40 2023)
Published: 20231019202240 (Thu Oct 19 15:22:40 2023)
Active: 20231019202240 (Thu Oct 19 15:22:40 2023)
*Retired: 20231020011742 (Thu Oct 19 20:17:42 2023)*
Removed: 20231030022242 (Sun Oct 29 21:22:42 2023)
DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
*New ZSK Key*
# cat *5264*.state
; This is the state of key 5264, for myexample2.com.
Algorithm: 13
Length: 256
Lifetime: 5184000
Predecessor: 43876
KSK: no
ZSK: yes
Generated: 20231019231242 (Thu Oct 19 18:12:42 2023)
Published: 20231019231242 (Thu Oct 19 18:12:42 2023)
*Active: 20231020011742 (Thu Oct 19 20:17:42 2023)*
Retired: 20231219011742 (Mon Dec 18 19:17:42 2023)
Removed: 20231229022242 (Thu Dec 28 20:22:42 2023)
DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
# dig @localhost myexample2.com DNSKEY +multi
; <<>> DiG 9.16.23-RH <<>> @localhost myexample2.com DNSKEY +multi
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cb17dbf88eab8fab010000006531b7fe20a031be5b4fab07 (good)
;; QUESTION SECTION:
;myexample2.com.IN DNSKEY
;; ANSWER SECTION:
myexample2.com.3600 IN DNSKEY 257 3 13 (
N7XVBtoat8ebr4jYDczH6cb/6WLJCYJ+A2h+wmQXh/Am
F21xZsZ5awToRz6pC3Z11m1q1fOxN+JKa3x4xQOPIA==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 28233
myexample2.com.3600 IN DNSKEY 256 3 13 (
fInt/iKpWoqsQdIpninExDUyOUZCgM/tGl3I5vgoogpK
ivBEwi9FRRUSMYpTY+etEWXGwSdm7jkHowrhjWz3ZQ==
) ; *ZSK; alg = ECDSAP256SHA256 ; key id = 5264*
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 19 18:13:02 CDT 2023
;; MSG SIZErcvd: 231
------------------------------------------------------------------------
*From:* Mark Andrews <ma...@isc.org>
*Sent:* Sunday, October 8, 2023 8:11 PM
*To:* Eddie Rowe <eddie.r...@werdev.com>
*Cc:* bind-users@lists.isc.org <bind-users@lists.isc.org>
*Subject:* Re: KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive
Keys Disappear?)
>Given the parent zone doesn’t have DS records for the zone and there
is no >private trust anchor published,
>there is no harm in changing the DNSKEYs immediately. Try again and
this time >tell named that there are
>DS records published for the zone.
> rndc dnssec -keyid value -checkds published zone
>This is also how you tell named about private trust anchors which are
equivalent >to publishing DS records
>in the parent.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users