Still seeing some ALG-7 DNSSE

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Still seeing some ALG-7 DNSSE

@lbutlr
If I do:

cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done

I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.

If I do

for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done

I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.

I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.

All of the domains are setup with  dnssec-policy default.

Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour  (expected).

 8 -rw-r--r--  1 bind  bind   1.0K Apr  5 06:21 Kkreme.com.+007+01083.key
 8 -rw-r--r--  1 bind  bind   587B Apr  5 06:21 Kkreme.com.+007+01083.state
 8 -rw-------  1 bind  bind   3.3K Apr  5 06:21 Kkreme.com.+007+01083.private
 8 -rw-r--r--  1 bind  bind   708B Apr  5 06:21 Kkreme.com.+007+30512.key
 8 -rw-r--r--  1 bind  bind   520B Apr  5 06:21 Kkreme.com.+007+30512.state
 8 -rw-------  1 bind  bind   1.8K Apr  5 06:21 Kkreme.com.+007+30512.private
 8 -rw-r--r--  1 bind  bind   399B Apr  5 06:21 Kkreme.com.+013+29597.key
 8 -rw-r--r--  1 bind  bind   651B Apr  5 06:21 Kkreme.com.+013+29597.state
 8 -rw-------  1 bind  bind   215B Apr  5 06:21 Kkreme.com.+013+29597.private

This domain does not show any ALG-7 keys in dig:

# dig kreme.com +dnssec +short
65.121.55.45
A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==

Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.

--
I loved you when our love was blessed I love you now there's nothing
        left But sorrow and a sense of overtime

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Still seeing some ALG-7 DNSSE

Matthijs Mekking
Most likely you have to delete those files manually.

In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
default the keys are retained for 90 days after their latest usage. So
in that case keys will be cleaned up automatically.

If you run a lower version, or if you set "purge-keys 0;" (disabled),
you have to purge key files manually.

Best regards,

Matthijs



On 05-04-2021 18:27, @lbutlr wrote:

> If I do:
>
> cd /etc/named/working/main/
> for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
>
> I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.
>
> If I do
>
> for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
>
> I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.
>
> I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.
>
> All of the domains are setup with  dnssec-policy default.
>
> Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour  (expected).
>
>   8 -rw-r--r--  1 bind  bind   1.0K Apr  5 06:21 Kkreme.com.+007+01083.key
>   8 -rw-r--r--  1 bind  bind   587B Apr  5 06:21 Kkreme.com.+007+01083.state
>   8 -rw-------  1 bind  bind   3.3K Apr  5 06:21 Kkreme.com.+007+01083.private
>   8 -rw-r--r--  1 bind  bind   708B Apr  5 06:21 Kkreme.com.+007+30512.key
>   8 -rw-r--r--  1 bind  bind   520B Apr  5 06:21 Kkreme.com.+007+30512.state
>   8 -rw-------  1 bind  bind   1.8K Apr  5 06:21 Kkreme.com.+007+30512.private
>   8 -rw-r--r--  1 bind  bind   399B Apr  5 06:21 Kkreme.com.+013+29597.key
>   8 -rw-r--r--  1 bind  bind   651B Apr  5 06:21 Kkreme.com.+013+29597.state
>   8 -rw-------  1 bind  bind   215B Apr  5 06:21 Kkreme.com.+013+29597.private
>
> This domain does not show any ALG-7 keys in dig:
>
> # dig kreme.com +dnssec +short
> 65.121.55.45
> A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==
>
> Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.
>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Still seeing some ALG-7 DNSSE

@lbutlr
On 06 Apr 2021, at 01:13, Matthijs Mekking <[hidden email]> wrote:
> In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.

Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.

Or do I add a

dnssec-policy "default" {
  purge-keys 30; // (or is that field seconds?)
}

Or will that mess up the predefined for default?

--
'There has to be enough light,' he panted, 'to see the darkness.'

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users