DNSSEC will eventually generate Identical Key ID's

[Mark Elkins]

Just for the record, although I do look from a curiosity point of view
for Identical Key ID's once every few month - I've never seen them -
until now.

Now I have them - generated by BIND within a few days of each other...


-rw-r--r-- 1 root root   431 Aug 18 00:03 Kipv6.org.za.+008+46578.key
-rw--- 1 root root  1012 Aug 18 00:03 Kipv6.org.za.+008+46578.private

# cat Kipv6.org.za.+008+46578.key
; This is a zone-signing key, keyid 46578, for ipv6.org.za.
; Created: 20180817220323 (Sat Aug 18 00:03:23 2018)
; Publish: 20180817220323 (Sat Aug 18 00:03:23 2018)
; Activate: 20180817220323 (Sat Aug 18 00:03:23 2018)
ipv6.org.za. IN DNSKEY 256 3 8
AwEAAbdOBycxs6uv0fgkpxh1DyFNyVdWlHfVWy4zKAeEM0MEYeR/idNO
/Z7aWFLlHsEADEpUGuz5dpHRP5OgPDzFesa1AdK0YsbzkDVsRD10Epjt
1CakfLbYqnrn4i/+Ds7VGDQJa83+JOewhKl5lSbGMCtvycFoXg7pyi+A bsCQvITN


-rw-r--r-- 1 root root   431 Aug 23 00:03 Kftth.net.za.+008+46578.key
-rw--- 1 root root  1008 Aug 23 00:03 Kftth.net.za.+008+46578.private

# cat Kftth.net.za.+008+46578.key
; This is a zone-signing key, keyid 46578, for ftth.net.za.
; Created: 2018080329 (Thu Aug 23 00:03:29 2018)
; Publish: 2018080329 (Thu Aug 23 00:03:29 2018)
; Activate: 2018080329 (Thu Aug 23 00:03:29 2018)
ftth.net.za. IN DNSKEY 256 3 8
AwEAAeB+Q8/GXSoyp3eMHusIgxlr51HUMhMpsRUzhp5A4TlnGPPXHw3C
ktwELF4FzPpnHWrHuOL+PewPU15KL6rQ+y4jN1s9tRMK7+jyTuttSnsF
R9gmmhtCvyZ+GtmAhcBVaoe/4VfZMOCHjthwLxoqMy1l19qx9Yy5jVtd WWa+q6Ot

I've been running DNSSEC for 7 years and have around 400 DNSSEC keys for
133 signed Domains.
I'm a smallish Registrar for ZA domains.

Never assume a KeyID is unique.  :-)

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC will eventually generate Identical Key ID's

[Anand Buddhdev]

On 09/09/2018 19:51, Mark Elkins wrote:

> Never assume a KeyID is unique.  :-)

One of the DNSSEC RFCs specifically says that the KeyID is not meant to
be unique. I can't remember which one, and it's too late on a Sunday
evening to be reading RFCs :)

Even then, I've had the misfortune of dealing with a vendor whose
developers didn't read the RFCs properly, and designed their key store
using the key IDs as indexes. So one fine day, we had a zone signed with
one key, but the DS record came from another key. Boom. Yuck. What a
mess it was to sort out!

Regards,
Anand
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

[@lbutlr]

On 08 Sep 2018, at 11:46, @lbutlr  wrote:
> I need to check that I am supposed to generate the digest.

to check *HOW* I am supposed to generate the digest.



-- 
Ille Qui Nos Omnes Servabit

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

[@lbutlr]

On 08 Sep 2018, at 10:21, Mark Elkins  wrote:
> Have you DNSSEC Signed your Domain - that is "covisp.net" because I
> don't see any DS records for it in the "net" zone.

Not yet, I want to have everything working on my side before I go upstream. 
Hover is pretty simple to setup the DNSSEC but I need to check that I am 
supposed to generate the digest.



-- 
I never wanted to do this in the first place.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC and secondary DNS servers

[LuKreme]

On Sep 8, 2018, at 10:21, Mark Elkins  wrote:
> Have you DNSSEC Signed your Domain - that is "covisp.net" because I
> don't see any DS records for it in the "net" zone.

I think I have everything set now and am hopping the two errors I have about 
validation are a matter of waiting for hover to propagate.

“None of the 2 DNSKEY records could be validated by any of the 2 DS records”

Thanks for all your help. We'll see if I still show this as broken tomorrow.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and secondary DNS servers

[Mark Elkins]

(Seems I can't reply directly to the author)

$ dig covisp.net ds
; <<>> DiG 9.11.2-P1 <<>> covisp.net ds
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21696
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
...
;; ANSWER SECTION:
covisp.net.        86352    IN    DS    1 7 1
E59B549EC68D577C44A4E13542257CA44FE21970
covisp.net.        86352    IN    DS    2 7 2
051033AF1BC909BE73FCFE4B59B1BDD2B8D7F8BF7BD840174AC1DEF7 14895D02

Umm... this initially looks great but something is seriously strange.
The first numerical value after DS should be the Key ID (or Key Tag). I
really doubt that you would (randomly) create two different DNSKEY
records with sequential Key-ID's (Tags) starting from "1"... its usually
a relatively random value between 1 and 2^16

Also as an aside - many people are no longer putting the SHA-1 Digest
type DS record in their parent, just the longer (more secure?) SHA-256
(Digest Type 2) record.

As the root uses Algorithm 8 - many people also use algorithm 8 - you
are using algorithm 7. Algorithm roll-overs are a pain so if you can -
move straight to 8.

I also can not detect a DNSKEY in your zone?
dig covisp.net dnskey +cd
...gives your SOA.
Without the "+cd" (ignore any DNSSEC validation) - I get a SERVFAIL.

Adding DS records into your parent should be the last part of the
process in securing your Zone with DNSSEC.

I really think you need to start over. What are you using to sign your
zone with? Maybe I can help.
Take a look at https://dnssec.co.za

On 09/09/2018 08:59 PM, LuKreme wrote:
> On Sep 8, 2018, at 10:21, Mark Elkins  > wrote:
>> Have you DNSSEC Signed your Domain - that is "covisp.net
>> " because I
>> don't see any DS records for it in the "net" zone.
>
> I think I have everything set now and am hopping the two errors I have
> about validation are a matter of waiting for hover to propagate.
>
> “None of the 2 DNSKEY records could be validated by any of the 2 DS
> records”
>
> Thanks for all your help. We'll see if I still show this as broken
> tomorrow.
>
> -- 
> My main job is trying to come up with new and innovative and effective
> ways to reject even more mail. I'm up to about 97% now.
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users