> On 13 Mar 2019, at 2:42 am, Philippe Maechler <pmaechler...@glattnet.ch> 
> wrote:
> Hello Mark and bind users
> Thank you for the explanations. Some things are still not clear to me...
> > -----Original Message-----
> > From: Mark Andrews <ma...@isc.org> 
> > Sent: Monday, March 11, 2019 8:53 AM
> > To: Philippe Maechler <pmaechler...@glattnet.ch>
> > Cc: bind-users@lists.isc.org
> > Subject: Re: named cpu usage pretty high because of 
> > dns_dnssec_findzonekeys2 -> file not found
> > 
> > Because you removed the key from disk before it was removed from the zone.  
> > Presumably named
> > was logging other error messages before you removed the key from disk or 
> > the machine was off
> > for a period or you mismanaged the key roll and named keep the key alive.
> > 
> Possible, the machine was running all the time (uptime is ~92 days). I would 
> have to search in old logs to be sure. Since this domain is for testing 
> purposes, its not important. The "bad thing" is the cpu usage which is quite 
> high.
> Is this something that will be addressed in further bind releases? E.g. 
> dns_dnssec_findzonekeys2 only search at a given interval for new keys or only 
> logs this message once in a minute/hour?

Named was attempting to re-sign part of the zone and getting a error then 
re-trying a little bit later.
> > Named’s re-signing strategy is different to when you are signing the whole 
> > zone at once as
> > you are signing it incrementally.  You should be allowing most of the 
> > sig-validity interval
> > before you delete the DNSKEY after you inactive it.  
> What exactly ist he sig-validy time? From my understanding this is the period 
> from "Activate" to “Inactive"

"sig-validity-interval <integer> [ <integer> ];”  it is for how long signatures 
are valid for when they
are generated.  The default is 30 days which results results in them being 
queued for re-signing 7.15
days before the signature expired.  This is a named.conf setting.

> # dnssec-settime -pall Kglattweb.ch.+013+06605
> Created: Mon Mar 11 10:03:49 2019
> Publish: Mon Mar 11 11:06:44 2019
> Activate: Tue Mar 19 10:02:19 2019
> Revoke: UNSET
> Inactive: Thu Mar 21 10:06:44 2019
> Delete: Sun Mar 31 11:05:48 2019
> SYNC Publish: Mon Mar 11 11:06:44 2019
> SYNC Delete: Sun Mar 31 11:06:44 2019
> In this case the sig-validity time is ~2d 4m

The sig-validity-interval is not stored in the key.

> The key has a delete Date of 2019-03-31 and I can delete (or move) the key at 
> 2019-04-02 or to be safe 2019-04-03?

You are using the dnssec-signzone key management logic.  dnssec-signzone signs 
the entire zone at particular times.

Named uses a different strategy.  It re-signs the records in a zone as they 
fall due.  One don’t want named signing
complete zones all at once as it takes it away from it primary job of serving 
the zone content.  It re-signs the
zone in small chunks.  The initial signing of the zone spreads those chunks out 
so they don’t all fall at the
same time.  This make re-signing of a zone a continuous process rather than 
specific events.

> > One should check that there are no RRSIGs
> > still present in the zone before deleting the DNSKEY from the zone.  
> > Inactivating it stops the
> > DNSKEY being used to generate new signatures but it needs to stay around 
> > until all those RRSIGs
> > have expired from caches which only happens after new replacement 
> > signatures have been generated.
> When are these replacement RRSIGs created? The key reached it's delete date, 
> the new key is in place and new RRSIGs are created. 
> > If you still have the .private file around reinstate it.   If not you will 
> > need to import the
> > DNSKEY using dnssec-importkey and manage its removal properly.
> Can you help me here?
> # dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db
> dnssec-importkey: error: dns_master_load: 
> /usr/local/etc/namedb/master/glattweb.ch.db:15: glattweb.ch: not at top of 
> zone
> dnssec-importkey: fatal: can't load 
> /usr/local/etc/namedb/master/glattweb.ch.db: not at top of zone
> ok... yes makes sense, glattweb.ch is not at the top of zone
> # head /usr/local/etc/namedb/master/glattweb.ch.db
> $TTL    300
> $ORIGIN glattweb.ch.
> @     300  IN  SOA  dns1.glattnet.ch. hostmaster.glattnet. (
>                      2019020400 ; serial
>                             600 ; refresh
>                             300 ; retry
>                            3600 ; expire
>                              90 ; nttl
>                      )
> I don't think that I should use the .signed file... let’s test that anyway
> # dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db.signed
> dnssec-importkey: error: dns_master_load: 
> /usr/local/etc/namedb/master/glattweb.ch.db.signed:1: syntax error
> dnssec-importkey: fatal: can't load 
> /usr/local/etc/namedb/master/glattweb.ch.db.signed: syntax error
> Maybe I have to change the zone format from raw to text...
> # named-compilezone -j -fraw -F text -o tmp 
> glattweb.ch/usr/local/etc/namedb/master/glattweb.ch.db.signed
> zone glattweb.ch/IN: loaded serial 2019022800 (DNSSEC signed)
> dump zone to tmp...done
> OK
> # less tmp 
> glattweb.ch.                                  300 IN SOA        
> dns1.glattnet.ch. hostmaster.glattnet. 2019022800 600 300 3600 90
> glattweb.ch.                                  300 IN RRSIG      SOA 13 2 300 
> 20190330214039 20190228204039 12809 glattweb.ch. 
> WDhpay5Iwi3DumsZ3UQiwdfkkIY44t8ez8dRW6/xv3sXFOJrwYQTyxwx 
> eO2iiRBZwwOI6oyT/0eNDJiF+FSIlg==
> ; resign=20190330214039
> glattweb.ch.                                  300 IN NS         
> dns1.glattnet.ch.
> glattweb.ch.                                  300 IN NS         
> dns2.glattnet.ch.
> glattweb.ch.                                  300 IN RRSIG      NS 13 2 300 
> 20190318002703 20190215232756 12809 glattweb.ch. 
> AJ3ez1YZEK6YzRlByyLJf3scpljMgZYjIRH55pG6oPhc7AP0qgo4dBqH 
> MDvaVubxEWyulruRcOiD8jpym6gp2w==
> ; resign=20190318002703
> glattweb.ch.                                  90 IN NSEC        
> glattweb.ch.                                  90 IN RRSIG       NSEC 13 2 90 
> 20190330212621 20190228204039 12809 glattweb.ch. 
> 7Z93XycEUNrzZ64LxmQuBwSzps6nMxjVMrtUFR0Kse29RQF/3eIIjTGx 
> ZoTpDSOjjsrEhsBEyGSKvrGLS6bLXA==
> ; resign=20190330212621
> glattweb.ch.                                  300 IN DNSKEY     256 3 13 
> WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 
> HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==
> glattweb.ch.                                  300 IN DNSKEY     256 3 13 
> Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh 
> VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==
> glattweb.ch.                                  300 IN RRSIG      DNSKEY 13 2 
> 300 20190328131200 20190226121200 12809 glattweb.ch. 
> gbDTbnIz+NtSg4dws88wWxv67gXdz4Qw/PL54CixibylGptcufep5W49 
> 2RkNz3iy79u1Kqvl4FUdEQhdZnLBJw==
> glattweb.ch.                                  300 IN RRSIG      DNSKEY 13 2 
> 300 20190328131200 20190226121200 33518 glattweb.ch. 
> eNk21CrH5BWkAp0uHk0N3gV2FCfsYUBO0bgRv4Vsqt2P9pz63sGKB/J0 
> 9zWLNb4Lf7GF6tIUZjyXq3vERmL+KA==
> ; resign=20190328131200
> glattweb.ch.                                  300 IN CDS        12809 13 1 
> C621D4A4904C012CBB35EB77E59F4C0CA3C81E87
> glattweb.ch.                                  300 IN CDS        12809 13 2 
> 75CDE511593A4D6D65D7FAC1C52EC304F9CB86D9AE53D550F2764A22 606FB96D
> glattweb.ch.                                  300 IN CDS        33518 13 1 
> 05977C7AC6320E25A3403366B69A1893DF023F63
> glattweb.ch.                                  300 IN CDS        33518 13 2 
> 39803C6F03171D50BA428C3BE5E4A3AB01CECF8564DAC18EBBFA2ED5 201B62C7
> glattweb.ch.                                  300 IN RRSIG      CDS 13 2 300 
> 20190328131200 20190226121200 12809 glattweb.ch. 
> h3rdycn57p0K2bi3IYPUyjf8NIYedWRO2OSpxrdGxiwqlH1tF9TaD9Rd 
> glattweb.ch.                                  300 IN RRSIG      CDS 13 2 300 
> 20190328131200 20190226121200 33518 glattweb.ch. 
> 9Yy4QmylesxZrszDHwp1NkLps2XKWQYyQHfxNQ0rOsxxiujVEfcRY6Fl 
> Xup1K9yZQdOxl5+GkyuHKic8HLXttA==
> ; resign=20190328131200
> glattweb.ch.                                  300 IN CDNSKEY    256 3 13 
> WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 
> HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==
> glattweb.ch.                                  300 IN CDNSKEY    256 3 13 
> Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh 
> VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==
> glattweb.ch.                                  300 IN RRSIG      CDNSKEY 13 2 
> 300 20190328131200 20190226121200 12809 glattweb.ch. 
> l2FmSIdTBYCytoqZu8oiOx9tZ26MVIdaYXsF8uLAThJ5C1iXRuADwwde 
> tCwN7zQsiK9+VF/qLGKUSInOFosgxw==
> glattweb.ch.                                  300 IN RRSIG      CDNSKEY 13 2 
> 300 20190328131200 20190226121200 33518 glattweb.ch. 
> gresGcjFA258p6374Ke/+qHr2WNFMPccQZnZgc4p074hqlF01lZUKx7w 
> 388ph5i+fUzcsbT6Pf+trdkovuw7/A==
> ; resign=20190328131200
> www.glattweb.ch.                              300 IN CNAME      
> gnweb.glattnet.ch.
> www.glattweb.ch.                              300 IN RRSIG      CNAME 13 3 
> 300 20190318002703 20190215232756 12809 glattweb.ch. 
> 5gBSM7WaCIf2t/CFcaZ4p17xL6TpQw6zH+KpJphG3vxikRDgBNWVVjX7 
> ObDN6D7I4FhfaWEdRl3TcN4fJJQ++w==
> ; resign=20190318002703
> www.glattweb.ch.                              90 IN NSEC        glattweb.ch. 
> www.glattweb.ch.                              90 IN RRSIG       NSEC 13 3 90 
> 20190328204045 20190226195831 12809 glattweb.ch. 
> u+gIh06+Q3N1qwKIqieYI+2118ZoWvbI0vgCM27zU0lGDLdFLMeBUMuh 
> Qh1BSYBsj/JDNH/jTsJFav5GZK44ng==
> ; resign=20190328204045
> #
> # dnssec-importkey -v 99 -f tmp 
> dnssec-importkey: error: dns_master_load: tmp:26: glattweb.ch: not at top of 
> zone
> dnssec-importkey: fatal: can't load tmp: not at top of zone
> Since I get the same error message that I got when using the dnssec-importkey 
> in the unsigned file, I guess I do something fundamentally wrong :/

This selects the key you want to import from the dig output (grep -w 33518) and 
passes it to dnssec-importkey.

% dig dnskey glattweb.ch +rrcomm | grep -w 33518 | dnssec-importkey -f - 
% cat Kglattweb.ch.+013+33518.key
; This is a zone-signing key, keyid 33518, for glattweb.ch.
glattweb.ch. IN DNSKEY 256 3 13 
[beetle:bin/tests/system] marka% cat Kglattweb.ch.+013+33518.private
Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)

Once named has regenerated the signatures and there are no more signatures in 
the zone from the 33518 key then set the
delete date to a week in the future using dnssec-settime.

With DNSSEC key management you don’t just set times for all events at the 
start.  You can only *safely* set the time
for the *next* event after the last event has completed.  If any event doesn’t 
occur at the expected time all the
rest need to slip back.  This applies whichever method you are using.  With 
named the re-signing of the complete zone
takes ~3 weeks to complete.


> tia
> Philippe
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to