key signing

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

key signing

Alan Batie
I've got a test domain that I thought I had all working, but noticed the
key signing key was missing, so I generated one and did an rndc loadkeys
to get things updated, then generated a ds record for it and uploaded
that to the registrar, however, it still shows broken, and when I look,
I see that the zone signing key 28998 is self-signed, rather than being
signed by the zsk 30841?  Am I misunderstanding something here?

keys/Kcascocom.com.+008+28998.key:; This is a zone-signing key, keyid
28998, for cascocom.com.
keys/Kcascocom.com.+008+30841.key:; This is a key-signing key, keyid
30841, for cascocom.com.

;; ANSWER SECTION:
cascocom.com. 3600 IN DNSKEY 256 3 8
AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI
W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV
V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ;
ZSK; alg = RSASHA256 ; key id = 28998
cascocom.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200409011715
20200310001715 28998 cascocom.com.
R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1
bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ
VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: key signing

Mark Andrews
Firstly don’t blindly add DS records without first checking that the DNSKEYs
they refer to are published.  DNSSEC is less tolerant of operator error and
sometimes things go wrong.  There are lots of “wait until …” in managing DNSSEC
and if you don’t wait DNSSEC validations will fail as a result as you have seen.

I see the following which indicates to me that 9675 is published but not active
and 28998 is published and active.

[beetle:~/git/bind9] marka% dig dnskey cascocom.com @ns1.peak.org +dnssec +rrcom

; <<>> DiG 9.15.4 <<>> dnskey cascocom.com @ns1.peak.org +dnssec +rrcom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20347
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cascocom.com. IN DNSKEY

;; ANSWER SECTION:
cascocom.com. 3600 IN DNSKEY 256 3 5 AwEAAcA0mHBs2j1IuElgHpUUdGcBhWumR/0bjiWT4BRuuikP3TPsPh5T Ti3ps/0f7uwMG02tai69+LRycq8vrPDCB92FvwHw8ACVPxdJ6ZRVCKKp 7peayPXJ0hlWurdAQXbX6WXU74a5hLYZ+2/rN+3BPyvImxO2o4RM5ay4 JlU59n5v  ; ZSK; alg = RSASHA1 ; key id = 9675
cascocom.com. 3600 IN DNSKEY 256 3 8 AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ; ZSK; alg = RSASHA256 ; key id = 28998
cascocom.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200409011715 20200310001715 28998 cascocom.com. R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1 bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=

;; Query time: 509 msec
;; SERVER: 207.55.16.51#53(207.55.16.51)
;; WHEN: Wed Mar 11 09:50:14 AEDT 2020
;; MSG SIZE  rcvd: 509

[beetle:~/git/bind9] marka%

and with the following DS records there isn’t secure path.

cascocom.com. 85427 IN DS 9675 5 2 EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234
cascocom.com. 85427 IN DS 30841 8 2 E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C

now I don’t know exactly what you did but detected error will have been logged.

Mark

> On 11 Mar 2020, at 09:39, Alan Batie <[hidden email]> wrote:
>
> I've got a test domain that I thought I had all working, but noticed the
> key signing key was missing, so I generated one and did an rndc loadkeys
> to get things updated, then generated a ds record for it and uploaded
> that to the registrar, however, it still shows broken, and when I look,
> I see that the zone signing key 28998 is self-signed, rather than being
> signed by the zsk 30841?  Am I misunderstanding something here?
>
> keys/Kcascocom.com.+008+28998.key:; This is a zone-signing key, keyid
> 28998, for cascocom.com.
> keys/Kcascocom.com.+008+30841.key:; This is a key-signing key, keyid
> 30841, for cascocom.com.
>
> ;; ANSWER SECTION:
> cascocom.com. 3600 IN DNSKEY 256 3 8
> AwEAAbzsNZ6nTPgAjprXeuInoS24oSvDktzfDJxbd01Ggbpg+DCFHNQI
> W9O2PlujvKPNZWw4I0lYNTREF4y3gl4sgBPRjaxv1Y274WBMgl/zNcDV
> V7wBXBSHS3k/52HbP/KlL9kuxBKPbl40Kji3Fj2ZOpPuXxM+Y0uaYWeS 0kCgfs2h  ;
> ZSK; alg = RSASHA256 ; key id = 28998
> cascocom.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200409011715
> 20200310001715 28998 cascocom.com.
> R2yjLkUxmoA8JEmcyaRx/t43OZXINXBjDTA0HhxBgtwhIIK9DRq7RnW1
> bNjN88qqzGqjWIIE+AG7Xk+8PXRAUeyQzWFDkMrqbg/qxlBvK+MgMlTJ
> VdWp2UdoDEn7A6feGNuoS7eBCDD+d+/DDjWZFU3D3YAIr6B7nJiu0hHF 8RQ=
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: key signing

Alan Batie
On 3/10/20 4:03 PM, Mark Andrews wrote:
> Firstly don’t blindly add DS records without first checking that the DNSKEYs
> they refer to are published.  DNSSEC is less tolerant of operator error and
> sometimes things go wrong.  There are lots of “wait until …” in managing DNSSEC
> and if you don’t wait DNSSEC validations will fail as a result as you have seen.

I have been trying to figure out a good way to validate that everything
is ready for the DS record to be published - a "zone_test" script, but
that's a separate issue.

> I see the following which indicates to me that 9675 is published but not active
> and 28998 is published and active.

Yes, those are both zone signing keys (migrating from sha1 to sha256)


> [beetle:~/git/bind9] marka%
>
> and with the following DS records there isn’t secure path.
>
> cascocom.com. 85427 IN DS 9675 5 2 EBC1B325B8740433571AC648B0925A2158D5521446DFE50402142243E834F234
> cascocom.com. 85427 IN DS 30841 8 2 E8870853532B4CF3588FE6B4DE59324F5E99C8C40F29CDED06845321CFDAB46C
>
> now I don’t know exactly what you did but detected error will have been logged.

I'm not sure how a DS record for 9675 got generated, as that's a zsk?

It might be better to wipe everything for this zone and start over as I
seem to have done something that got it very confused.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment