Score:1

Server

BIND auto-dnssec is signing records with ZSK and KSK

miken32

10/17/23, 5:48 PM

I'm doing a rollover of my KSK and ZSK (concurrent with a server transfer) and BIND (version 9.16.23) has started causing problems for me. I have the following keys in my directory:

; Kexample.ca.+007+10274.key
; This is a zone-signing key, keyid 10274, for example.ca.
; Created: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Publish: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Activate: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Inactive: 20221016000000 (Sat Oct 15 20:00:00 2022)
; Delete: 20221101000000 (Mon Oct 31 20:00:00 2022)
example.ca. IN DNSKEY 256 3 7 AwEAAdrZTmbJJiG5DpbDxB4hFsC5h5HfvClN2hCqCTM+K/mL6yUuGNMK
...

; Kexample.ca.+007+56883.key
; This is a key-signing key, keyid 56883, for example.ca.
; Created: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Publish: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Activate: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Inactive: 20221013000000 (Wed Oct 12 20:00:00 2022)
; Delete: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 257 3 7 AwEAAco64iLFxmdJo71EVDcgoU7fCf+KtGVVb5qNJ5Cqy2fIfQ14lfpi 
...

; Kexample.ca.+015+37539.key
; This is a zone-signing key, keyid 37539, for example.ca.
; Created: 20221003223624 (Mon Oct  3 18:36:24 2022)
; Publish: 20221003223624 (Mon Oct  3 18:36:24 2022)
; Activate: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 256 3 15 d5jO/VChUOdTxJbFIT/JnUC...

; Kexample.ca.+015+44951.key
; This is a key-signing key, keyid 44951, for example.ca.
; Created: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Publish: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Activate: 20221014000000 (Thu Oct 13 20:00:00 2022)
example.ca. IN DNSKEY 257 3 15 yTweQBDrmRQB9TlRCw5UjfLm...

And a standard zone config:

zone "example.ca" IN {
    type master;
    file "dynamic/db.example.ca.signed";
    auto-dnssec maintain;
    update-policy {
        grant "local-nsupdate-key" zonesub ANY;
    };
};

So as you can see from the dates, the old RSA keys should have stopped being used by now, replaced with the ED25519 keys. But this is not the case. What BIND is doing now is signing almost all the records in the zone (the NSEC records are correctly signed by only the current ZSK) with the old inactive ZSK, the new ZSK, and the new KSK:

A   1.234.56.7
RRSIG   A 7 2 7200 (
    20221108175559 20221009172553 10274 example.ca.
    OWuM4QbyhPMHAdAar3VN2UwtnQdNuAJ6SI638fjA7Qwi
    awbXkiWDmoMu0gPi+96f7sECeePFcrGhZwWNBaNOZM5k
    adrzaU74LyRB6uKNJ8+oJyk8gLWyLP70iuxxKqmvJyra
    sQ7evDHQOeN68VohLw+dnvsyPQt2gjyPwq+3KOyPBnu9
    WAQMfPsI5ApDj2bKodZ+YPbeGtphNFmLUo4dDvgDmTaP
    uVlFv/y8BcZVmtG5OzPk0eRmQR8z61NWU5/vLDA1BdnR
    3YxH0GCYAS6uD69KpAdi8vCoPKrz+SapY4ZVOcIqljGK
    j8G6AmXBL1lPYbqUZl3+b0R25rKbdgOKeg== )
RRSIG   A 15 2 7200 (
    20221109073728 20221014123919 44951 example.ca.
    nsK1mxNMwkpYODNwR/VggyHKhFaOd2+ZQtQxn8Np6X/Q
    N3s+ziXwvuP+ShizVVwupfzXydkZTtBmK0lLzqOWAg== )
RRSIG   A 15 2 7200 (
    20221108202820 20221016223139 37539 example.ca.
    Fj//9E+jgVtMPiltKit8cKMO3Q1XzAO9uGM9eWS2kcA9
    t1JQfzhPP/0z0bw5OpSjjCfP8qnvbuJDHk+aG0MIAQ== )

Aside from the date issue, this should not be happening, and is not happening with other DNSSEC zones I manage. Why is BIND bungling this zone so badly? (Or, why am I misunderstanding this so badly?!)

Debug log output showing what happens when I run rndc sign example.ca is available, if it's useful. Doesn't look too helpful to my eyes though.

106

1 + 8

bind

dnssec

Patrick Mevzek

10/17/23, 10:07 PM

" am I correct in thinking the KSK should not be used for signing records?" Yes and no. The KSK obviously signs the `DNSKEY` record (which includes all keys)

Patrick Mevzek

10/17/23, 10:08 PM

You are obfuscating everything, so hard to tell you. Use `dnsviz` in a pre-delegation test to specify your nameservers if the zone is not live or delegated, and see what it thinks. Its graphical display should be pretty good as separating KSK and ZSK and telling you what signs what, and if you see any errrors or warnings you might want to address them. You might also want to detail a little more how you do your "KSK and ZSK rollover" because that is unusual. Bind takes care of ZSK rollover itself normally, and for KSK there are different options, depending on parent too.

miken32

10/17/23, 10:11 PM

Aside from trimming out the key info (which doesn't seem relevant) the only thing that's changed in the info I've provided are names and IP addresses. I'm seeing tons of errors on dnsviz.net, the problem is I don't know how to address them. Hence my question.

miken32

10/17/23, 10:13 PM

Re rollover procedure, I just migrated from a server that was doing manual signing with old keys that had never been updated. All I did was generate new keys and set the timestamps for activation/inactivation/deletion accordingly.

miken32

10/17/23, 11:37 PM

@PatrickMevzek Is there some information I could add to the question to help diagnose the problem? As far as I can see there's no way to control how BIND manages keys, so signing records with a KSK seems like a clear-cut bug to me.

Patrick Mevzek

10/18/23, 12:06 AM

" I'm seeing tons of errors on dnsviz.net" Hard to help you, but at least shows you another tool do think there is a problem. " I just migrated from a server that was doing manual signing with old keys that had never been updated." That may be more a total rebuild of DNSSEC than a rollover, I mean did old KSK sign new one, etc. ? How much is the domain important/used? If not, start from scratch from no DNSSEC at all. Maybe see "dnssec-dnskey-kskonly" in https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html?highlight=dnssec+dnskey+kskonly#boolean-options And update-check-ksk

miken32

10/18/23, 2:57 PM

`update-check-ksk` defaults to on, and manually setting it didn't change anything unfortunately. Same for `dnssec-dnskey-kskonly`. I don't need another tool to tell me there's a problem. I know there's a problem, and I know exactly what it is. That's the whole point of my question: why is BIND causing the problem?

Patrick Mevzek

10/18/23, 7:29 PM

"why is BIND causing the problem? " Hard to know without knowing the real data, nor the real steps (rollover is dozen of steps). As you obfuscated everything, I tried to help giving you other tools that you can run. your zone ended in a bad state but as noone knows how you made it arrives there it is difficult I think to help.

Score:0

Server

miken32

10/18/23, 5:56 PM

In the absence of any explanation for why BIND was misbehaving like this, I ended up running rndc freeze example.ca, manually removing all the RRSIG records, running rndc sign, and thawing it again with rndc thaw example.ca. BIND then proceeded to properly sign records with only the new ZSK. The old ZSK remains as a DNSKEY record, I'm hopeful it will be removed according to the schedule in the metadata.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: BIND auto-dnssec is signing records with ZSK and KSK

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.