Re: KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive Keys Disappear?)

Fri, 20 Oct 2023 01:55:23 -0700

When your ZSK is safe to be retired depends on the state of the DS, so without knowing the state of the KSK it is hard to say whether this immediate removal of the old ZSK is legit or not. 

Best regards,

Matthijs


On 10/20/23 01:46, Eddie Rowe wrote:
Thank you for your kind reply - BIND is too smart for me!  I can confirm that when you use a CSK key that letting BIND know that the key has been published ("rndc dnssec -keyid value -checkds published zone") resolves the issue with a CSK rollover which I tried since I had issues with ZSKs doing the same thing.
The same solution does not seem to impact a ZSK rollover which baffles me.  Are there any other considerations for when BIND might rollover a ZSK sooner than I expected?
I waited until ZSK was omnipresent and as soon as I run the rollover command the old key disappears (3 hour TTL) and my test zone is immediately resigned with the new ZSK.  Rollover was about 30 minutes ago and current time is 18:40 on Oct 19...info shows that the original ZSK should be still active but it is not. 

*Original ZSK Key*

# cat *43876*.state

; This is the state of key 43876, for myexample2.com.

Algorithm: 13

Length: 256

Lifetime: 17702

Successor: 5264

KSK: no

ZSK: yes

Generated: 20231019202240 (Thu Oct 19 15:22:40 2023)

Published: 20231019202240 (Thu Oct 19 15:22:40 2023)

Active: 20231019202240 (Thu Oct 19 15:22:40 2023)

*Retired: 20231020011742 (Thu Oct 19 20:17:42 2023)*

Removed: 20231030022242 (Sun Oct 29 21:22:42 2023)

DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)

ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)

DNSKEYState: unretentive

ZRRSIGState: unretentive

GoalState: hidden


*New ZSK Key*

# cat *5264*.state

; This is the state of key 5264, for myexample2.com.

Algorithm: 13

Length: 256

Lifetime: 5184000

Predecessor: 43876

KSK: no

ZSK: yes

Generated: 20231019231242 (Thu Oct 19 18:12:42 2023)

Published: 20231019231242 (Thu Oct 19 18:12:42 2023)

*Active: 20231020011742 (Thu Oct 19 20:17:42 2023)*

Retired: 20231219011742 (Mon Dec 18 19:17:42 2023)

Removed: 20231229022242 (Thu Dec 28 20:22:42 2023)

DNSKEYChange: 20231019231242 (Thu Oct 19 18:12:42 2023)

ZRRSIGChange: 20231019231242 (Thu Oct 19 18:12:42 2023)

DNSKEYState: rumoured

ZRRSIGState: rumoured

GoalState: omnipresent


# dig @localhost myexample2.com DNSKEY +multi

; <<>> DiG 9.16.23-RH <<>> @localhost myexample2.com DNSKEY +multi

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56141

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

; COOKIE: cb17dbf88eab8fab010000006531b7fe20a031be5b4fab07 (good)

;; QUESTION SECTION:

;myexample2.com.IN DNSKEY

;; ANSWER SECTION:

myexample2.com.3600 IN DNSKEY 257 3 13 (

N7XVBtoat8ebr4jYDczH6cb/6WLJCYJ+A2h+wmQXh/Am

F21xZsZ5awToRz6pC3Z11m1q1fOxN+JKa3x4xQOPIA==

) ; KSK; alg = ECDSAP256SHA256 ; key id = 28233

myexample2.com.3600 IN DNSKEY 256 3 13 (

fInt/iKpWoqsQdIpninExDUyOUZCgM/tGl3I5vgoogpK

ivBEwi9FRRUSMYpTY+etEWXGwSdm7jkHowrhjWz3ZQ==

) ; *ZSK; alg = ECDSAP256SHA256 ; key id = 5264*

;; Query time: 1 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Thu Oct 19 18:13:02 CDT 2023

;; MSG SIZErcvd: 231



------------------------------------------------------------------------
*From:* Mark Andrews <ma...@isc.org>
*Sent:* Sunday, October 8, 2023 8:11 PM
*To:* Eddie Rowe <eddie.r...@werdev.com>
*Cc:* bind-users@lists.isc.org <bind-users@lists.isc.org>
*Subject:* Re: KASP Rollover = Immediate Loss of DNSKEY (Why Do Inactive Keys Disappear?)
>Given the parent zone doesn’t have DS records for the zone and there is no >private trust anchor published, >there is no harm in changing the DNSKEYs immediately.  Try again and this time >tell named that there are 
 >DS records published for the zone.

 >      rndc dnssec -keyid value -checkds published zone
>This is also how you tell named about private trust anchors which are equivalent >to publishing DS records 
 >in the parent.




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to