Bug#1049385: bind9 stopped signing zones with dnssec-policy

Mon, 14 Aug 2023 21:03:15 -0700 

Package: bind9
Version: 1:9.18.16-1
Severity: normal
I started migrating our zones from auto-dnssec to dnssec-policy earlier this year, and for months it seemed that everything was working fine. However, tonight the first zones migrated started giving SERVFAIL and after I removed their .jnl .jbk and .signed files, bind9 is no longer signing them. It creates the files, but the .signed zone is identical to the source file. 

My policy is:

dnssec-policy "trex-policy" {
        keys {
                ksk lifetime unlimited algorithm ECDSAP256SHA256;
                zsk lifetime P20W algorithm ECDSAP256SHA256;
        };
        publish-safety  PT1H;
        retire-safety   P2W;
        purge-keys      P1Y;
};

Extracts from logs for one affected zone look normal:


15-Aug-2023 03:02:50.943 dnssec: info: zone 193.140.195.in-addr.arpa/IN 
(signed): reconfiguring zone keys
15-Aug-2023 03:02:50.963 dnssec: info: Fetching 
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) from key repository.
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY 
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) is now published
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY 
193.140.195.in-addr.arpa/ECDSAP256SHA256/61721 (KSK) is now active
15-Aug-2023 03:02:50.963 dnssec: info: Fetching 
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) from key repository.
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY 
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) is now published
15-Aug-2023 03:02:50.963 dnssec: info: DNSKEY 
193.140.195.in-addr.arpa/ECDSAP256SHA256/7315 (ZSK) is now active
15-Aug-2023 03:02:50.967 dnssec: info: Removing expired key 
193.140.195.in-addr.arpa/22412/ECDSAP256SHA256 from DNSKEY RRset.
15-Aug-2023 03:02:50.967 dnssec: info: DNSKEY 
193.140.195.in-addr.arpa/ECDSAP256SHA256/22412 (ZSK) is now deleted


However .signed.jnl of the above zone shows nothing was done:

zsh% named-journalprint 193.140.195.in-addr.arpa.signed.jnl
Source serial = 2023080600

del 193.140.195.in-addr.arpa. 86400     IN      SOA     ns.trex.fi. 
hostmaster.trex.fi. 2023060600 10800 3600 1300000 90000
add 193.140.195.in-addr.arpa. 86400     IN      SOA     ns.trex.fi. 
hostmaster.trex.fi. 2023080600 10800 3600 1300000 80000

zsh%

For most zones, it doesn't even create that journal.

Config for the above zone:

zone "193.140.195.in-addr.arpa" {
        type master;
        file "/etc/bind/193.140.195.in-addr.arpa";
        allow-transfer { ok-transfers; };
        also-notify { hidden-anycasts; };
        key-directory "/etc/bind/keys";
        dnssec-policy "trex-policy";
        inline-signing yes;
        max-journal-size 1M;
};




I've tried rndc sign/reload and restarting bind9 and resetting the 
signature files countless times. I turned dnssec logging severity to 
debug 3, but comparing the logs for the problem zones with a zone that 
still works doesn't show anything different. The zone that still works 
was migrated later.



I'm getting nowhere... (Well at least it's not giving SERVFAIL for the 
zones anymore.)




Is there some way I could manually sign the zone to buy some time? In a 
way that doesn't adversely interfere with the inline signing...


--
        Aleksi Suhonen























					Reply via email to