Hi Matthijs, The zone was not signed before. I enabled DNSSEC by adding the 'dnssec-policy'. I will send you the requested files off list.
Thank you, Daniel On 23.12.20 11:39, Matthijs Mekking wrote: > Hi Daniel, > > This zone was signed before, prior to switching to 'dnssec-policy'? Or > did you enable DNSSEC by adding 'dnssec-policy'? > > If you have them, would you be able to share with me (off list) the logs > and the key (state) files? > > - Matthijs > > > On 23-12-2020 10:47, Daniel Stirnimann wrote: >> Hello Matthijs, >> >> I'm testing with version 9.16.9. >> >> Ok, I'm more confused now. >> >> For the current key rollover the DNSKEY RRset is not signed with both >> the old key 6207 and the new key 15769 but only with the new key 15769. >> The domain is now bogus: >> >> https://dnsviz.net/d/badware.ch/X-MRAg/dnssec/ >> >> >> rndc dnssec -status badware.ch >> dnssec-policy: test >> current time: Wed Dec 23 10:42:00 2020 >> >> key: 39414 (ECDSAP256SHA256), CSK >> published: no >> key signing: no >> zone signing: no >> >> Key has been removed from the zone >> - goal: hidden >> - dnskey: unretentive >> - ds: unretentive >> - zone rrsig: unretentive >> - key rrsig: hidden >> >> key: 6207 (ECDSAP256SHA256), CSK >> published: yes - since Wed Dec 16 07:33:24 2020 >> key signing: no >> zone signing: no >> >> Key is retired, will be removed on Fri Jan 1 11:43:24 2021 >> - goal: hidden >> - dnskey: omnipresent >> - ds: unretentive >> - zone rrsig: unretentive >> - key rrsig: hidden >> >> key: 15769 (ECDSAP256SHA256), CSK >> published: yes - since Wed Dec 23 07:33:24 2020 >> key signing: yes - since Wed Dec 23 07:33:24 2020 >> zone signing: yes - since Wed Dec 23 09:38:24 2020 >> >> Next rollover scheduled on Wed Dec 30 07:33:24 2020 >> - goal: omnipresent >> - dnskey: omnipresent >> - ds: rumoured >> - zone rrsig: rumoured >> - key rrsig: omnipresent >> >> >> Daniel >> >> On 23.12.20 10:33, Matthijs Mekking wrote: >>> Hi Daniel, >>> >>> With which specific 9.16 version are you testing? The first versions >>> used an unsafe time based rollover, assuming the DS would be published >>> withing a certain time. In 9.16.7 a new rndc command "rndc dnssec >>> -checkds" was introduced to tell BIND 9 that the DS for a given key has >>> been published. >>> >>> Best regards, >>> >>> Matthijs >>> >>> On 23-12-2020 09:53, Daniel Stirnimann wrote: >>>> Hi all, >>>> >>>> I'm testing the key rollover behavior of BIND 9.16 with the new >>>> introduced "dnssec-policy" statement. >>>> >>>> The ISC DNSSEC Guide, chapter Working with the Parent Zone (2) [1] states: >>>> >>>> "At the time of this writing (mid-2020) BIND does not check for the >>>> presence of a DS record in the parent zone before completing the KSK or >>>> CSK rollover and withdrawing the old key. Instead, you need to use the >>>> rndc tool to tell named that the DS record has been published." >>>> >>>> The last sentence that one has to tell named that the DS record has been >>>> published is not what I'm observing. My tests show that BIND continues >>>> (finishes) the key rollover. The use of the rndc tool is not required. >>>> Is this an error in the documentation? >>>> >>>> dnsviz output of the test domain: >>>> >>>> badware.ch signed with key 39414 but no trust anchor in .ch yet: >>>> https://dnsviz.net/d/badware.ch/X9DD2w/dnssec/ >>>> >>>> badware.ch DNSSEC boostrap completed (with trust anchor in .ch, >>>> automatically picked up by CDS/CDNSKEY polling by the parent): >>>> https://dnsviz.net/d/badware.ch/X9ZGPA/dnssec/ >>>> >>>> badware.ch key rollover from key 39414 to key 6207 in progress: >>>> https://dnsviz.net/d/badware.ch/X9oemQ/dnssec/ >>>> >>>> badware.ch previous key rollover finished. key 39414 is unused and will >>>> be removed from the DNSKEY rrset soon. No "rndc" command has been used >>>> to tell named to complete the key rollover. >>>> Next key rollover started with the introduction of key 15769: >>>> https://dnsviz.net/d/badware.ch/X-L1BQ/dnssec/ >>>> >>>> >>>> DNSSEC Policy: >>>> >>>> dnssec-policy "test" { >>>> keys { >>>> csk key-directory lifetime 7d algorithm 13; >>>> }; >>>> >>>> // Key timings >>>> dnskey-ttl 3600; >>>> publish-safety 1h; >>>> retire-safety 1h; >>>> >>>> // Zone parameters >>>> max-zone-ttl 3600; >>>> zone-propagation-delay 300; >>>> >>>> // Parent parameters >>>> parent-ds-ttl 1h; >>>> parent-propagation-delay 1h; >>>> }; >>>> >>>> Thank you, >>>> Daniel >>>> >>>> [1] >>>> https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2 >>>> >>>> _______________________________________________ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>>> unsubscribe from this list >>>> >>>> ISC funds the development of this software with paid support >>>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>>> information. >>>> >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users >>>> >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- SWITCH Daniel Stirnimann, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 15, direct +41 44 268 16 24 daniel.stirnim...@switch.ch, www.switch.ch _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users