Re: How to introduce automatic signing for existing signed zones?
On 8 Nov 2022, at 7:54, Matthijs Mekking wrote: Thanks for reporting back. This is an omission in our KB article that I will fix. Thanks, Matthijs. I think that will be useful. Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
Niall, Thanks for reporting back. This is an omission in our KB article that I will fix. - Matthijs On 07-11-2022 18:24, Niall O'Reilly wrote: On 7 Nov 2022, at 11:40, Niall O'Reilly wrote: Preparation: - Set up minimal stand-alone instance of BIND9 named, configured with a **dnssec-policy** for each algorithm, matching properties of existing DNSSEC keys, and with `lifetime unlimited`; - Deliver current key files and recently-signed copy of zone files to this instance. I needed an additional stage of preparation, before delivering the key files; specifically, I needed to edit the .private files to 'Private-key-format: v1.3' and add missing lifecycle metadata. After doing this, named behaved exactly as expected. Thanks, Matthijs, for steering me in the right direction, and for being ready to give me additional help. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
On 7 Nov 2022, at 11:40, Niall O'Reilly wrote: > Preparation: > > - Set up minimal stand-alone instance of BIND9 named, > configured with a **dnssec-policy** for each algorithm, > matching properties of existing DNSSEC keys, and with > `lifetime unlimited`; > - Deliver current key files and recently-signed copy of > zone files to this instance. I needed an additional stage of preparation, before delivering the key files; specifically, I needed to edit the .private files to 'Private-key-format: v1.3' and add missing lifecycle metadata. After doing this, named behaved exactly as expected. Thanks, Matthijs, for steering me in the right direction, and for being ready to give me additional help. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
Thank you for your speedy response, Matthijs. On 7 Nov 2022, at 13:10, Matthijs Mekking wrote: Ignore that, I saw too late there were attachments. Perhaps I ought to have mentioned them explicitly. Are you able to share the public key and key state files with me so I can investigate why BIND thinks the existing keys cannot be used? Off list, and PGP-protected, yes. This will mean I'll end up having to change the parent DS RRs later on. That seems a reasonable cost for getting to the root of the problem. I have no key state files, except after starting named, and then only for the RSA/SHA-256 and **newly-generated** ECDSA keys. My current signing process uses ldns-signzone, which seems not to use such files. Also, the log file looks like an excerpt. No; that's everything named, as configured, writes. A full debug (level 3) log would be useful too. I'll set up for that, and follow up off list. Thanks and best regards, Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
On 07-11-2022 14:04, Matthijs Mekking wrote: Hi Niall, You need to share the dnssec-policy for no8.be in order to investigate why it doesn't show the expected behavior, but I suspect that the policy did not match the properties for the existing DNSSEC keys completely. Ignore that, I saw too late there were attachments. Are you able to share the public key and key state files with me so I can investigate why BIND thinks the existing keys cannot be used? Also, the log file looks like an excerpt. A full debug (level 3) log would be useful too. Best regards, Matthijs Best regards, Matthijs On 07-11-2022 12:40, Niall O'Reilly wrote: I have a couple of zones which I want to migrate from CLI-driven signing to BIND9 automatic signing, while avoiding any change to the respective parent-zone DS RR. Status quo ante: - https://dnsviz.net/d/no8.be/dnssec/ separate KSK, ZSK; both using alg 13 - https://dnsviz.net/d/jamm.ie/dnssec/ 2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8 Preparation: - Set up minimal stand-alone instance of BIND9 named, configured with a **dnssec-policy** for each algorithm, matching properties of existing DNSSEC keys, and with `lifetime unlimited`; - Deliver current key files and recently-signed copy of zone files to this instance. Expected behaviour on starting named: - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other keys for each zone are accepted and retained; - A CDS RR is generated for each zone, matching the current DS RR. Observed behaviour: - `named -v` shows `BIND 9.18.8 (Stable Release) `; - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained; - A CDS RR is published for jamm.ie, matching the current DS RR; - ECDSAP256SHA256 keys (for no8.be) are not accepted; - New ECDSAP256SHA256 keys are created for no8.be; - No CDS RR is generated for no8.be. Unless I'm missing something, there seems to be a discrepancy according to key type between the handling of RSA/SHA-256 and ECDSAP256SHA256 keys respectively. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to introduce automatic signing for existing signed zones?
Hi Niall, You need to share the dnssec-policy for no8.be in order to investigate why it doesn't show the expected behavior, but I suspect that the policy did not match the properties for the existing DNSSEC keys completely. Best regards, Matthijs On 07-11-2022 12:40, Niall O'Reilly wrote: I have a couple of zones which I want to migrate from CLI-driven signing to BIND9 automatic signing, while avoiding any change to the respective parent-zone DS RR. Status quo ante: - https://dnsviz.net/d/no8.be/dnssec/ separate KSK, ZSK; both using alg 13 - https://dnsviz.net/d/jamm.ie/dnssec/ 2048-bit KSK, 2x 1024-bit ZSKs (live and spare); all using alg 8 Preparation: - Set up minimal stand-alone instance of BIND9 named, configured with a **dnssec-policy** for each algorithm, matching properties of existing DNSSEC keys, and with `lifetime unlimited`; - Deliver current key files and recently-signed copy of zone files to this instance. Expected behaviour on starting named: - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other keys for each zone are accepted and retained; - A CDS RR is generated for each zone, matching the current DS RR. Observed behaviour: - `named -v` shows `BIND 9.18.8 (Stable Release) `; - Zones are loaded; - Spare ZSK for jamm.ie is retired; - Other RSA/SHA-256 keys (for jamm.ie) are accepted and retained; - A CDS RR is published for jamm.ie, matching the current DS RR; - ECDSAP256SHA256 keys (for no8.be) are not accepted; - New ECDSAP256SHA256 keys are created for no8.be; - No CDS RR is generated for no8.be. Unless I'm missing something, there seems to be a discrepancy according to key type between the handling of RSA/SHA-256 and ECDSAP256SHA256 keys respectively. /Niall -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
