DNSSEC inline/auto - burst of resigning/updates ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSSEC inline/auto - burst of resigning/updates ?

Brandon Applegate
Hello,

I just very recently set up all my zones for inline signing + auto maintain.  Prior to this I had cron jobs resigning and it was working okay.  But after I read up on inline/auto I thought it to be much more elegant.

Anyway, basically the behavior I expect and observe is that bind periodically resigns my zones based on the sig-validity-interval values.  Also, if I push a DDNS update (I do this for my home firewall for remote access (dynamic IP) as well as rotating my DKIM keys), I expect the zone to get resigned and my slaves get NOTIFYs and pull it.  All of this happens.

Tonight though in about an hour, the serial number was incremented 12 times and NOTIFYs sent.  My home firewall is stable, and my DKIM rotation happens monthly via cron.  So there’s nothing in the logs regarding a DDNS update.

My question is - what could prompt these changes ?  I don’t see a pattern in time or anything else in the logs.

Also if there’s some debug I can toggle or increase I’m all ears…

Here’s the zone in question and it’s config stanza:

        zone "burn.net" IN {
                type master;
                file "burn.net.zone";
                update-policy {
                        grant vom.burn.net. zonesub A AAAA TXT;
                };
                key-directory "/var/cache/bind/keys";
                auto-dnssec maintain;
                inline-signing yes;
                sig-validity-interval 14 9;
        };

# grep -i burn.net /var/log/syslog | grep notifies
Sep  6 17:54:43 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082736)
Sep  6 17:57:41 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082737)
Sep  6 18:11:02 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082738)
Sep  6 18:16:42 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082739)
Sep  6 18:22:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082740)
Sep  6 18:28:51 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082741)
Sep  6 18:31:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082742)
Sep  6 18:40:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082743)
Sep  6 18:50:25 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082744)
Sep  6 18:55:03 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082745)
Sep  6 18:57:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082746)
Sep  6 18:58:24 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082747)
Sep  6 19:04:37 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082748)

Thanks.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC inline/auto - burst of resigning/updates ?

Mark Andrews
Named splits the re-signing load up into small chunks so that all the cpu isn’t
consumed signing the zone and the server can still answer question, accept updates,
etc.  It does this by randomly reducing the expiry time by a small amount for each
chunk it signs, the exception to this is the SOA record that is always signed with
the full validity interval as it acts as a sentinel indicating the zone has been
fully processed.

Also if you are doing dynamic updates to the same machine that is signing the zone
I would recommend NOT using inline signing.  All it does is complicate the process
and consume more memory for no benefit.

Mark

> On 7 Sep 2019, at 9:24 am, Brandon Applegate <[hidden email]> wrote:
>
> Hello,
>
> I just very recently set up all my zones for inline signing + auto maintain.  Prior to this I had cron jobs resigning and it was working okay.  But after I read up on inline/auto I thought it to be much more elegant.
>
> Anyway, basically the behavior I expect and observe is that bind periodically resigns my zones based on the sig-validity-interval values.  Also, if I push a DDNS update (I do this for my home firewall for remote access (dynamic IP) as well as rotating my DKIM keys), I expect the zone to get resigned and my slaves get NOTIFYs and pull it.  All of this happens.
>
> Tonight though in about an hour, the serial number was incremented 12 times and NOTIFYs sent.  My home firewall is stable, and my DKIM rotation happens monthly via cron.  So there’s nothing in the logs regarding a DDNS update.
>
> My question is - what could prompt these changes ?  I don’t see a pattern in time or anything else in the logs.
>
> Also if there’s some debug I can toggle or increase I’m all ears…
>
> Here’s the zone in question and it’s config stanza:
>
>        zone "burn.net" IN {
>                type master;
>                file "burn.net.zone";
>                update-policy {
>                        grant vom.burn.net. zonesub A AAAA TXT;
>                };
>                key-directory "/var/cache/bind/keys";
>                auto-dnssec maintain;
>                inline-signing yes;
>                sig-validity-interval 14 9;
>        };
>
> # grep -i burn.net /var/log/syslog | grep notifies
> Sep  6 17:54:43 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082736)
> Sep  6 17:57:41 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082737)
> Sep  6 18:11:02 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082738)
> Sep  6 18:16:42 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082739)
> Sep  6 18:22:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082740)
> Sep  6 18:28:51 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082741)
> Sep  6 18:31:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082742)
> Sep  6 18:40:07 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082743)
> Sep  6 18:50:25 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082744)
> Sep  6 18:55:03 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082745)
> Sep  6 18:57:27 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082746)
> Sep  6 18:58:24 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082747)
> Sep  6 19:04:37 orbital named[9857]: zone burn.net/IN (signed): sending notifies (serial 2019082748)
>
> Thanks.
>
> --
> Brandon Applegate - CCIE 10273
> PGP Key fingerprint:
> 0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
> "For thousands of years men dreamed of pacts with demons.
> Only now are such things possible."
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC inline/auto - burst of resigning/updates ?

Tony Finch
In reply to this post by Brandon Applegate
Brandon Applegate <[hidden email]> wrote:
>
> Tonight though in about an hour, the serial number was incremented 12
> times and NOTIFYs sent.  My home firewall is stable, and my DKIM
> rotation happens monthly via cron.  So there’s nothing in the logs
> regarding a DDNS update.
>
> My question is - what could prompt these changes ?  I don’t see a
> pattern in time or anything else in the logs.

The prompt would have been regular zone re-signing activity, which (as
Mark says) is done in small chunks. You can control the size of the chunks
with the `sig-signing-nodes` and `sig-signing-signatures` options. If you
want to reduce NOTIFY / IXFR traffic, you might want to increase these
options, though it's probably only a good idea if you have a hidden
primary server that isn't answering other queries.

You should find that re-signing gets spread out over time due to update
activity and because of the randomizing jitter that Mark mentioned. So on
a more mature zone you might not get such an intense flurry of signature
updates. The jitter is 1 hour (in normal configurations) and there isn't
a direct way to change it, unlike the -j option to `dnssec-signzone`.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Wight: South 4 to 6, becoming variable 3 or less. Slight, occasionally
moderate at first. Showers, perhaps thundery. Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC inline/auto - burst of resigning/updates ?

Shumon Huque
On Mon, Sep 9, 2019 at 6:48 AM Tony Finch <[hidden email]> wrote:
[...]
You should find that re-signing gets spread out over time due to update
activity and because of the randomizing jitter that Mark mentioned. So on
a more mature zone you might not get such an intense flurry of signature
updates. The jitter is 1 hour (in normal configurations) and there isn't
a direct way to change it, unlike the -j option to `dnssec-signzone`.

In recent versions of BIND, the jitter is no longer 1 hour, but spread out over the signature validity period.

I filed an enhancement request about a year ago on this topic, and why BIND should spread out the jitter:


The changes first appeared in BIND 9.12.3 I believe.

Shumon Huque

 

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC inline/auto - burst of resigning/updates ?

Tony Finch
Shumon Huque <[hidden email]> wrote:
>
> In recent versions of BIND, the jitter is no longer 1 hour, but spread
> out over the signature validity period.

Oh, nice, I must have looked at a stale branch by accident :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Lundy, Fastnet, Irish Sea: North or northwest 6 or 7, decreasing 4 or 5 later.
Slight or moderate, occasionally rough in Lundy and Fastnet at first. Showers,
perhaps thundery. Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users