DNSSEC and NSEC missing ZSK?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSSEC and NSEC missing ZSK?

@lbutlr
I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.

#v+
# dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'

Verifying the zone using the following algorithms:
- ECDSAP256SHA256
Missing ZSK for algorithm ECDSAP256SHA256
Missing NSEC record for blog.example.com
Missing NSEC record for wiki.example.com
Missing NSEC record for foobar.example.com
Missing NSEC record for barfoo.example.com
The zone is not fully signed for the following algorithms:
 vECDSAP256SHA256
.
DNSSEC completeness test failed.NSSEC completeness test failed.
#v-

The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.

The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default;

#v+
; This is the state of key 18434, for example.com.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: yes
Generated: 20210202180145 (Tue Feb  2 11:01:45 2021)
Published: 20210202180145 (Tue Feb  2 11:01:45 2021)
Active: 20210202180145 (Tue Feb  2 11:01:45 2021)
PublishCDS: 20210203190645 (Wed Feb  3 12:06:45 2021)
DNSKEYChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
ZRRSIGChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
KRRSIGChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
DSChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent
#v-

So the state file says the ZSK is yes, but dnssec-verify says no.

I ran delv test and it looks as I expect based on he guide linked above.

#v+
# delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline
; fully validated
example.com.          3600 IN SOA ns1.example.net. admin.example.net. (
                                2018022422 ; serial
                                300        ; refresh (5 minutes)
                                300        ; retry (5 minutes)
                                18000      ; expire (5 hours)
                                3600       ; minimum (1 hour)
                                )
example.com.          3600 IN RRSIG SOA 13 2 3600 (
                                20210221095138 20210207085138 18434 example.com.
                                Qps8u4m6…=
#v-

Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.

--
'I don't see why everyone depends on me. I'm not dependable. Even I
        don't depend on me, and I'm me.'

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC and NSEC missing ZSK?

Matthijs Mekking
Hi,

On 08-02-2021 12:20, @lbutlr wrote:

> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
>
> #v+
> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
>
> Verifying the zone using the following algorithms:
> - ECDSAP256SHA256
> Missing ZSK for algorithm ECDSAP256SHA256
> Missing NSEC record for blog.example.com
> Missing NSEC record for wiki.example.com
> Missing NSEC record for foobar.example.com
> Missing NSEC record for barfoo.example.com
> The zone is not fully signed for the following algorithms:
>   vECDSAP256SHA256
> .
> DNSSEC completeness test failed.NSSEC completeness test failed.
> #v-
>
> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.

Use dnssec-verify -z to indicate that the ZSK may be the same key as the
KSK.

The missing NSEC records are more worrisome.


> The only thing I can find that seems relevant (though it is for bind 9.7.3) is part of the key generation, but I did not generate the keys manually, bind did that with dnssec-policy default;
>
> #v+
> ; This is the state of key 18434, for example.com.
> Algorithm: 13
> Length: 256
> Lifetime: 0
> KSK: yes
> ZSK: yes
> Generated: 20210202180145 (Tue Feb  2 11:01:45 2021)
> Published: 20210202180145 (Tue Feb  2 11:01:45 2021)
> Active: 20210202180145 (Tue Feb  2 11:01:45 2021)
> PublishCDS: 20210203190645 (Wed Feb  3 12:06:45 2021)
> DNSKEYChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
> ZRRSIGChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
> KRRSIGChange: 20210202200645 (Tue Feb  2 13:06:45 2021)
> DSChange: 20210203190645 (Wed Feb  3 12:06:45 2021)
> DNSKEYState: omnipresent
> ZRRSIGState: omnipresent
> KRRSIGState: omnipresent
> DSState: rumoured
> GoalState: omnipresent
> #v-
>
> So the state file says the ZSK is yes, but dnssec-verify says no.
>
> I ran delv test and it looks as I expect based on he guide linked above.
>
> #v+
> # delv @127.0.0.1 -a /tmp/Kexample.com.+013+18434.key +root=example.com example.com SOA +multiline
> ; fully validated
> example.com.          3600 IN SOA ns1.example.net. admin.example.net. (
>                                  2018022422 ; serial
>                                  300        ; refresh (5 minutes)
>                                  300        ; retry (5 minutes)
>                                  18000      ; expire (5 hours)
>                                  3600       ; minimum (1 hour)
>                                  )
> example.com.          3600 IN RRSIG SOA 13 2 3600 (
>                                  20210221095138 20210207085138 18434 example.com.
>                                  Qps8u4m6…=
> #v-
>
> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.


rndc sign zone

- Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC and NSEC missing ZSK?

@lbutlr


> On 08 Feb 2021, at 07:24, Matthijs Mekking <[hidden email]> wrote:
>
> Hi,
>
> On 08-02-2021 12:20, @lbutlr wrote:
>> I feel I am getting close. I got the digest generated for hover.com and updated the DNS on the test zone, but I am getting errors on verify that I don't understand.
>> #v+
>> # dnssec-verify -I text -o example.com /etc/namedb/working/example.com.signed
>> Loading zone 'example.com' from file '/etc/namedb/working/example.com.signed'
>> Verifying the zone using the following algorithms:
>> - ECDSAP256SHA256
>> Missing ZSK for algorithm ECDSAP256SHA256
>> Missing NSEC record for blog.example.com
>> Missing NSEC record for wiki.example.com
>> Missing NSEC record for foobar.example.com
>> Missing NSEC record for barfoo.example.com
>> The zone is not fully signed for the following algorithms:
>>  vECDSAP256SHA256
>> .
>> DNSSEC completeness test failed.NSSEC completeness test failed.
>> #v-
>> The missing ZSK is throwing me, and I don't know what to add to my zone record for NSEC. I am following along (trying) with https://bind9.readthedocs.io/en/latest/dnssec-guide.html which makes no mention of this, but shows NSEC showing up in the output of the signed file.
>
> Use dnssec-verify -z to indicate that the ZSK may be the same key as the KSK.

Thanks, so that is sorted.

> The missing NSEC records are more worrisome.

Oddly, some of the NSEC entries are in the signed zone file (well, I assume that is what this means):

NSEC    blog.example.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534
RRSIG   NSEC 13 2 3600
NSEC    wiki.example.com. CNAME RRSIG NSEC
RRSIG   NSEC 13 3 3600 (

)all the subdomains are CNAME

And some other occurrences of NSEC, but not the home and foobar or barfoo.

>> #v-
>> Is there a way to force rndc/bind to recreate the .signed file? If I move it aside and restart named or rndc reload or rndc reconfig, the signed zone file is not recreated.
>
>
> rndc sign zone

That recreates the .signed.jnl and not the .signed file. No errors are reported.


--
How you have felt, o men of Athens, at hearing the speeches of my
        accusers, I cannot tell; but I know that their persuasive words
        almost made me forget who I was, such was the effect of the,; and
        yet they have hardly spoken a word of truth.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC and NSEC missing ZSK?

@lbutlr
On 08 Feb 2021, at 11:10, @lbutlr <[hidden email]> wrote:
> That recreates the .signed.jnl and not the .signed file. No errors are reported.

Well, I have finally ogttenteh test zone to the point where dnssec-verify is happy and everything that I can check also seems happy except dnsviz which is very very VERY angry and basically says the zone is entirely garabge. I am hoping this is a propagation issue, but I kind of doubt it since it should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think.

I'll give it a couple of days and see where I am there before I try to move any domains that are actually used.

Thanks everyone for prods and hints along this path.

--
When and where does this "real world" occur?!

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC and NSEC missing ZSK?

Bind-Users forum mailing list


On 09/02/2021 10:47 pm, @ wrote:
> Well, I have finally ogttenteh test zone to the point where dnssec-verify is happy and everything that I can check also seems happy except dnsviz which is very very VERY angry and basically says the zone is entirely garabge. I am hoping this is a propagation issue, but I kind of doubt it since it should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think.

The easiest way to get help is to post your named.conf and zone file. 
Obfuscating the configuration works against you, especially when you
have a limited understanding of DNSSEC.

DNSVIZ displays your current state very well.  If its showing you
errors, then it requires you to act.

The query IPs DNSVIZ typically uses are:

64.191.0.132
64.191.0.138
2620:ff:c000::132
2620:ff:c000::138

So you can easily reconcile the DNSVIZ query, in real time, that
produced your data set. 

The DS record propagation, at the registry level, should never take days
(no more than 15-30 minutes is my experience).  You need to make sure
you have configured (or instructed the registry, per manual
intervention) the correct Algorithm (13) and the digest type (SHA256)
when you provide your Hash. 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC and NSEC missing ZSK?

@lbutlr
On 09 Feb 2021, at 16:19, Mal via bind-users <[hidden email]> wrote:
> On 09/02/2021 10:47 pm, @ wrote:
>> Well, I have finally ogttenteh test zone to the point where dnssec-verify is happy and everything that I can check also seems happy except dnsviz which is very very VERY angry and basically says the zone is entirely garabge. I am hoping this is a propagation issue, but I kind of doubt it since it should be quarrying the authoritative DNS for the DNSKEY and RRSIG and such, I'd think.

> The easiest way to get help is to post your named.conf and zone file.

Not doing that for domains that are not actually owned by me, which includes the domain I was using to test this setup.

> DNSVIZ displays your current state very well.  If its showing you
> errors, then it requires you to act.

Seems not to be the case as after 10 hours or so, dnsviz has stopped complaining.

--
Heisenberg's only uncertainty was what pub to vomit in next and Jung
        fancied Freud's mother too. -- Jared Earle

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users